Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy

1Password Discloses Security Incident Linked To Okta Breach (bleepingcomputer.com) 27

Lawrence Abrams reports via BleepingComputer: 1Password, a popular password management platform used by over 100,000 businesses, suffered a security breach after hackers gained access to its Okta ID management tenant. "We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed," reads a very brief security incident notification from 1Password CTO Pedro Canahuati. "On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing."

On Friday, Okta disclosed that threat actors breached its support case management system using stolen credentials. As part of these support cases, Okta routinely asks customers to upload HTTP Archive (HAR) files to troubleshoot customer problems. However, these HAR files contain sensitive data, including authentication cookies and session tokens that can be used to impersonate a valid Okta customer. Okta first learned of the breach from BeyondTrust, who shared forensics data with Okta, showing that their support organization was compromised. However, it took Okta over two weeks to confirm the breach.

This discussion has been archived. No new comments can be posted.

1Password Discloses Security Incident Linked To Okta Breach

Comments Filter:
  • Haven't they been hacked a zillion times? Say hello to Pass [wikipedia.org] or literally any non-cloud password manager and be done with it.
    • I believe you are thinking of lastpass.

    • by Anubis IV ( 1279820 ) on Monday October 23, 2023 @09:32PM (#63947867)

      Haven't they been hacked a zillion times?

      You're thinking of LastPass, which has been hacked numerous times and which everyone should have abandoned years ago.

      1Password has had a spotless track record to date, and they've published numerous white papers about how they secure user data. Long story short: they lock every cloud-backed account behind a private key that is generated on-device and is never in their possession. That's in addition to the eponymous "one password" that you must additionally provide to unlock a vault.

      • Haven't they been hacked a zillion times?

        You're thinking of LastPass, which has been hacked numerous times and which everyone should have abandoned years ago.

        1Password has had a spotless track record to date, and they've published numerous white papers about how they secure user data. Long story short: they lock every cloud-backed account behind a private key that is generated on-device and is never in their possession. That's in addition to the eponymous "one password" that you must additionally provide to unlock a vault.

        Still, 100,000 businesses use it... thats like absolutely microscopic...
        Why would they even note such a number?

      • by AmiMoJo ( 196126 )

        Their incident report is a bit of an eye opener though. They apparently scanned their system with the free version of Malwarebytes, and declared it uncompromised.

        • Their incident report is a bit of an eye opener though. They apparently scanned their system with the free version of Malwarebytes, and declared it uncompromised.

          Are you deliberately posting misinformation or is that the actual reading you came away with? Because you conveniently omitted that they also isolated the computer that submitted the HAR file so that they could conduct further analyses, immediately rotated credentials for the compromised user, reported the incident to the vendor who was ultimately proven to be responsie, and did NOT reach the conclusion you falsely claim they did. To the contrary, their documented hypothesis was that the computer was likely

          • by AmiMoJo ( 196126 )

            Apparently their investigation budget didn't stretch to the paid version of Malwarebytes though.

    • Just be careful where you download it from [bleepingcomputer.com].

      Google malvertising is currently experiencing another boom [bleepingcomputer.com] (kinda odd that we didn't get that as a story here yet).

      • Well, that's good advice, but I'd go as far as to say if you are keeping your passwords "in the cloud" you're exposing yourself to a lot of extra risk for the sake of convenience. It's probably worth refactoring the solution to avoid that risk since it's not that hard. I think KeePass is a local password manager. So, maybe their problem was with backdoor'd phoning-home binaries, but either way, an extra measure of caution is probably prudent when using anything to manage passwords, even pencil and paper.
        • I'm sorry, but did you read either article?

          Yes, Keepass is a local PW manager, and the sponsored link led to a fake webpage that looks like the keepass one with a name along the lines of kéepass.info (it's on the k, but I don't have any idea how to do that character, and there's a pretty good chance /. won't display it properly anyway) with a doctored version of the manager that also installed some sort of malware.

    • My immediate thought just seeing the headline.

  • by ctilsie242 ( 4841247 ) on Monday October 23, 2023 @10:08PM (#63947935)

    There is one advantage 1Password has over other PW managers. The secondary secret key. Yes, it is annoying that when enrolling a new device or logging on the website, that you need your username, main password, the secret key, and your 2FA code, but that secret key is what ensures that if an attacker grabs the PW databases, all of them are useless to the attacker unless they are able to compromise endpoints... and if an endpoint is compromised, the attacker likely has access anyway.

    Even if 1Password was grossly compromised, an attacker may be able to see size of files and account IDs, but everything else like URLs, usernames and everything else in the PW DB would be well out of reach.

    In any case, it can't hurt to log into 1Password and rotate your key, log all devices out and log back in.

    • by Anonymous Coward

      Thanks for that info! Using what you wrote, I searched to see if Bitwarden had the same feature, and it is documented [bitwarden.com]. I learned something new today.

      A few years ago, I switched from 1password to Bitwarden because Bitwarden is free, and open-source, (and honestly, the UI/UX is better too). But mostly because it is free, which matters for me at present.

      • I use the paid version of both. One for passwords, one for 2FA keys. This way, a desktop has access to passwords, but if a desktop is compromised, the 2FA shared secrets are out of reach.

        The key in is different. That is a master key which one's password decrypts all the database stuff, and is secured by one's password. 1Password has a master key, but requires two items to decrypt it, the password, and a secret key [1password.com]. Lots of keys, and it is easy to get confused between the top level key that decrypts all

    • Why would I NOT want to just store my database in my Dropbox or iCloud instead?
      Why force me into their 1Password-infrastructure?
      Just so they can milk a subscription model and make even more $$$?

      A password manager is THE prime example for a one-time-purchase license. It needs some maintenance and updates, yes, but that should easily be covered by new customers since it is comparatively little work. It is a very limited, finite software with lots of polishing minor details.

      • by flink ( 18449 )

        Try Codebook. I've been using it since it was a palm pilot app called STRIP. The core engine is open source, it's just the UI which is commercial. You buy it once on each platform you use it on and get free updates from there. Been using it for something like 20 years. My favorite piece of software.

        • This looks amazing, thank you! Dont know how I could have missed it for so long⦠I switched from 1Pw to Minimalist and quite like it but sadly they only offer subscriptions now for new users, and I simply do not understand how they justify it.

        • Codebook also uses a sync key, so an attacker who snarfs your password database from the cloud provider has to deal with not just your master password, but that sync key as well, pretty much making it impossible to decrypt your passwords without compromising one of your endpoints.

          Same with KeePass plus a keyfile which is copied to endpoints.

    • by flink ( 18449 )

      There are other password managers that do this, and don't store everyone's password in a single centralized location, encrypted or not. Codebook [zetetic.net] for example has a master encryption key that is locked with a per device secret and supports local wifi device-to-device sync or syncing to a Google drive. Enrolling a new device involves typing in the key using codewords or scanning it as a QR code from an already enrolled device. But the company Zetetic, has nothing to do with managing your password on a day to d

    • by AmiMoJo ( 196126 )

      Keepass has that feature. You can have a password, various types of 2FA, a keyfile, and combine them all.

    • by slyborg ( 524607 )

      They compromised a session key of an insider, which could give them access to whatever internal tools they have, which could allow exfiltrating vaults. If they are secured with poor keys (which is likely for most people) they could be offline cracked.
      This seems pretty bad, they don't appear to know what was actually accessed internally. The timeframe before they reset sessions was fairly short (a couple of days?)

  • And that is why a subscription-based password manager that FORCES you to only store on their infrastructure is a horrible idea. See LastPass.
    You have an even larger target painted on your back instantly.
    When 1Password made that switch, I immediately jumped ship and could not be happier.
    Their software used to be great, but their MBAs and their insane greed completely ruined the whole thing.

No spitting on the Bus! Thank you, The Mgt.

Working...