1Password Becomes Latest Victim of Okta Customer Service Breach

Oktas IAM platform finds itself in cyberattackers sights once again, as threat actors mount a supply chain attack targeting Okta customer support engagements.

Password manager 1Password has become the second publicized victim of
Oktas recent customer support breach
, news of which came to light last week. It is just the latest in a string of cyberattacks aimed at gaining access to highly privileged Okta accounts.
Okta, a cloud-based, enterprise-grade
identity and access management (IAM) service
that connects enterprise users across applications and devices, is used by more than 17,000 customers globally. On Friday, it disclosed that a threat actor had used stolen credentials to access its customer support case management system. The attacker then leveraged its access to penetrate some of those thousands of customers via their recent customer support engagements.
This is what happened with 1Password. On Sept. 29, the password-management company observed suspicious activity within the Okta instance that it uses for managing its employee-facing apps, according to
a company statement
. The activity was quickly terminated, and while it didnt detail the extent of the infestation into employee apps, it did say that no user or employee data or other sensitive systems were compromised.
News of more victims may yet be coming.
Okta wrote on Friday
that it has informed other potentially affected customers.
This is the latest attack on Okta, which continues to be a
popular target for cybercriminals
because it offers access to so much sensitive information. In August, the company detailed a campaign in which threat actors used social engineering to
convince IT desk personnel
to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts, opening the door to lateral movement.
And the more recent, highly publicized
MGM and Caesars Palace ransomware incidents
involved a subversion of Okta Agent via social engineering, leading to deep infections of the Vegas giants.
The first news of Oktas latest breach was provided not by Okta, but by BeyondTrust, a separate IAM security vendor.
On October 2,
the company reported
, an attacker tried using a valid session cookie stolen from Oktas support system to gain access to BeyondTrusts Okta administrator account.
They requested a HAR [HTTP archive] file in an email, recalls James Maude, director of research at BeyondTrust, and within that HAR file was a session token which the attacker within 30 minutes had grabbed out of their support system. And then they used that session token to authenticate in and start to try and do malicious things.
That the attacker pounced so quickly was necessary, as session tokens expire quickly, but also suspicious. That was one of the things that made us wonder — that someone was just sitting, waiting for these files to be uploaded, Maude says.
Logs revealed that the attacker was visiting from an IP address in Malaysia, routed through a VPN service. Like 1Password three days prior, BeyondTrust says it successfully terminated the attack before any infrastructure or customer data was damaged.
Affected customers with less effective detection and response may find themselves in a great deal more trouble than Oktas first two reported victims.
The big risk is that they wouldnt necessarily even notice theyve been compromised, Maude explains. If the attacker is able to use the token to authenticate himself with a level of privilege where he can create accounts, add users to privileged groups that are then under their control, then thats effectively a backdoor into an Okta environment. And once theyre able to get into that environment, if theyre able to add an identity provider, they can then impersonate other users within the organization to gain access to the apps and other technologies that Okta is the gateway to through single sign-on (SSO).
Companies should be aware of the sensitivity in sharing data with even trusted customer service agents, and proactively
protect their most sensitive accounts
to prepare for a worst-case scenario.
Even if its not through a support portal, there are other ways that attackers will seek to compromise Okta users. Organizations really need to step up their monitoring around Okta authentication events involving admin users, Maude concludes.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
1Password Becomes Latest Victim of Okta Customer Service Breach