The spillover from a cyberattack against Okta’s support system is growing as more victims come forward.
1Password on Monday said it, too, was impacted by the Okta support system breach, which led to an intrusion of its Okta environment, making it the third security-oriented victim to come forward after BeyondTrust and Cloudflare.
“After a thorough investigation, we concluded that no 1Password user data was accessed,” CTO Pedro Canahuati said in a Monday blog post.
“We immediately terminated the activity, investigated and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” Canahuati said.
The password manager, which has more than 100,000 business customers, detected suspicious activity on its Okta instance on Sept. 29. BeyondTrust discovered a similar intrusion on its Okta environment and alerted Okta to the breach on Oct. 2.
1Password uses Okta to manage employee-facing applications. All three victim organizations that have come forward claim to have detected and thwarted the threat actor before damages occurred.
“This incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization,” 1Password wrote in an internal incident report it made public on Monday.
“The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack,” the incident report said.
1Password is waiting for Okta, which didn’t disclose the attack against its customer support system until Friday, to pull and share additional log entries for further review, the company said.
Okta did not immediately respond to an inquiry on 1Password’s exposure and hasn’t said how the threat actor accessed an Okta support system administrator account credential.