Okta data breach spreads to Cloudflare and 1Password

It was just yesterday that we wrote about Okta after the single-sign-on cybersecurity firm confirmed that hackers had gained access to its system using stolen tokens and credentials from its support unit. Now, the incident has spread to network and security giant Cloudflare and password manager maker 1Password.

In a statement released yesterday, both Cloudflare and 1Password admitted that their systems had been briefly targeted by hackers in the wake of the recent breach involving Okta’s support unit. They added that these incidents were connected to the Okta breach, reassuring that their customer systems and user data remained unaffected by these security breaches.

“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” said 1Password chief technology officer Pedro Canahuati in a blog post. “We’ve confirmed that this was a result of Okta’s support system breach,” said Canahuati.

Canahuati said that the company detected suspicious activity on its Okta instance linked to its Support System issue. However, after a thorough investigation, the company confirmed that no 1Password user data was breached. On September 29, 1Password said it identified suspicious activity on another Okta instance used for managing its internal apps. He added that swift action was taken to stop it, and upon investigation, it was determined that no user data or sensitive systems for employees or users were compromised. Canahuati explained:

“We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed. On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.

Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s Support System breach.”

Cloudflare also confirmed in a blog post on Friday that its systems had been targeted by hackers using a session token pilfered from Okta’s support unit. Grant Bourzikas, Cloudflare’s Chief Information Security Officer, explained that Cloudflare’s incident, commencing on October 18, resulted in no unauthorized access to their systems or data. This was largely due to Cloudflare’s utilization of hardware security keys that effectively counter phishing attacks.

“On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance. While this was a troubling security incident, our Security Incident Response Team’s (SIRT) real-time detection and prompt response enabled containment and minimized the impact to Cloudflare systems and data. We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response. Okta has now released a public statement about this incident.

This is the second time Cloudflare has been impacted by a breach of Okta’s systems. In March 2022, we blogged about our investigation on how a breach of Okta affected Cloudflare. In that incident, we concluded that there was no access from the threat actor to any of our systems or data – Cloudflare’s use of hard keys for multi-factor authentication stopped this attack.”

While Okta may not be a household name, it plays a critical role in the cybersecurity systems of major corporations. The identity management company serves over 18,000 customers, offering a single login point for various platforms used by these organizations. For instance, Zoom utilizes Okta to provide seamless access to Google Workspace, ServiceNow, VMware, and Workday platforms.

BeyondTrust was the first company to report on the data breach before Okta informed affected customers.

Meanwhile, late Friday night, Okta stated that it communicated with all impacted clients following Friday’s announcement. Notably, at least one of these clients had previously alerted Okta to a potential breach weeks prior.

In a separate statement, privately held identity management firm BeyondTrust revealed that its security teams detected an identity-centric attack on an in-house Okta administrator account on October 2, 2023. BeyondTrust managed to detect and resolve the attack using its Identity Security tools, ensuring no impact or exposure to its infrastructure or customers. However, Okta did not initially classify the incident as a breach, despite concerns raised by BeyondTrust about the likelihood of compromise within Okta support and the potential impact on other customers.

“On October 2nd, 2023, the BeyondTrust security teams detected an identity-centric attack on an in-house Okta administrator account. We immediately detected and remediated the attack through our own Identity Security tools, resulting in no impact or exposure to BeyondTrust’s infrastructure or to our customers. The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers,” BeyondTrust wrote.

Founded in 2009 by Todd McKinnon and Frederic Kerrest, Okta is a cybersecurity firm renowned for delivering identity and access management solutions, facilitating secure and seamless access to various digital services and platforms for organizations.