``Suspicious activity'' detected at developer of password management app ``1Password''
The developer of the password management app 1Password has announced that it has detected suspicious activity within the company. It has been revealed that the suspicious activity occurred via Okta , an authentication system used internally by 1Password.
Okta incidents and 1Password | 1Password
https://blog.1password.com/okta-incident/
We detected suspicious activity on our Okta instance but confirmed no user data was accessed.
— 1Password (@1Password) October 23, 2023
Pedro Canahuati, our CTO, provides more information in this blog post https://t.co/x2bAUvw7ez , which includes our internal Okta Incident Report for additional details.
According to a report from 1Password, suspicious activity was detected on September 29, 2023 on an Okta instance used to manage employee apps.
Immediately after detecting suspicious activity, 1Password suspended internal operations and conducted an investigation. As a result, no breaches of 1Password user data were discovered, nor were any breaches of sensitive internal 1Password data discovered. 1Password said, ``Based on a thorough investigation, we have concluded that 1Password user data has not been accessed,'' emphasizing that the suspicious activity does not affect users.
After 1Password detected suspicious activity on an Okta instance, we worked with Okta to investigate and found that the suspicious activity was related to ``unauthorized access to Okta's support system.''
According to a breach report published by Okta, the attacker stole Okta credentials and accessed Okta's support case management system. This allowed the attacker to view files uploaded by Okta users. Okta has already sent notifications to affected customers, and customers who have not received notifications are not affected by this breach. In addition, Okta discloses the following IP addresses as 'indications of compromise' in the breach report.
23.105.182.19
104.251.211.122
202.59.10.100
162.210.194.35 (BROWSEC VPN)
198.16.66.124 (BROWSEC VPN)
198.16.66.156 (BROWSEC VPN)
198.16.70.28 (BROWSEC VPN)
198.16.74.203 (BROWSEC VPN)
198.16.74.204 (BROWSEC VPN)
198.16.74.205 (BROWSEC VPN)
198.98.49.203 (BROWSEC VPN)
2.56.164.52 (NEXUS PROXY)
207.244.71.82 (BROWSEC VPN)
207.244.71.84 (BROWSEC VPN)
207.244.89.161 (BROWSEC VPN)
207.244.89.162 (BROWSEC VPN)
23.106.249.52 (BROWSEC VPN)
23.106.56.11 (BROWSEC VPN)
23.106.56.21 (BROWSEC VPN)
23.106.56.36 (BROWSEC VPN)
23.106.56.37 (BROWSEC VPN)
23.106.56.38 (BROWSEC VPN)
23.106.56.54 (BROWSEC VPN)
Additionally, the attacker was using the following user agent. The user agent itself is the usual Chrome 99 one, but Okta points out that 'given Chrome 99's release date is March 2022, this user agent may be rare.' .
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)
The 1Password incident report can be viewed below.
Copy of Okta Incident Report Final - okta-incident-report.pdf
https://blog.1password.com/files/okta-incident/okta-incident-report.pdf
Related Posts:
in Security, Posted by log1o_hf