Kamso Oguejiofor-Abugu
Updated on: October 25, 2023 
In a recently disclosed security incident, 1Password detected suspicious activity on its Okta instance related to Okta’s Support System incident. On September 29, 2023, a member of Okta’s IT team received a suspicious email indicating they had initiated a report of Okta admin accounts — an action they hadn’t performed. Alarmed, they alerted the company’s security incident response team.
“Preliminary investigations revealed activity in our Okta environment was sourced by a suspicious IP address and was later confirmed that a threat actor had accessed our Okta tenant with administrative privileges,” 1Passwsord’s security incident report read.
This illicit activity shares resemblances to a known cyber attack pattern wherein attackers compromise super admin accounts to tamper with authentication flows, impersonating users of the affected organization.
Notably, the attacker’s initial intent appeared to be information reconnaissance, possibly preparing for a more sophisticated assault. As such, there’s “no evidence that proves the actor accessed any systems outside of Okta.”
According to the report, the attacker was able to access Okta’s administrative portal using a session initiated by the IT team member to create an HAR file (a record of all traffic between a browser and Okta servers). The attacker attempted various actions, including the activation of an Identity Provider (IDP) and requesting an administrative users report, which led to the email notification to the IT team member.
“The HAR file was created on the team member’s macOS laptop and uploaded via hotel provided WiFi, as this event occurred at the end of a company event,” the report read. “Based on an analysis of how the file was created and uploaded, Okta’s use of TLS and HSTS, and the prior use of the same browser to access Okta, it is believed that there was no window in which this data could have been exposed to the WiFi network, or otherwise subject to interception.”
In response to the breach, extensive security updates have been initiated, including denying logins from non-Okta IDPs, stricter Multi-Factor Authentication (MFA) rules for administrative users, and reduced session times.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- Source: https://www.safetydetectives.com/news/security-breach-at-okta-incident-highlights-need-for-enhanced-protocols/
