Business, Security

Incident at Okta cascades down to Cloudflare, 1Password and others

Brendyn Lotz

25th October 2023

Okta detailed a breach of its systems that it detected last week.
While the damage was minimal, the incident has raised eyebrows following a different breach at Okta in 2022.
Companies impacted by this latest breach include 1Password and Cloudflare, both of which have issued communications to their clients.

The popularity of cloud platforms and services means that companies don’t have to build out their own storage, security, and other critical infrastructure and can instead rely on firms that offer those services and platforms. This convenience comes at a cost, a cost that the likes of 1Password and Cloudflare are dealing with right now.

At the weekend, Okta which operates secure access, authentication and automation for workers and customers, declared it had detected a breach or at least an attempt at a breach.

The firm detected “adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system”. With this credential, the attacker was able to access files related to support cases uploaded by Okta customers.

“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it,” chief security officer at Okta, David Bradbury wrote in a blog post.

While Okta declared this on Friday last week, one of its impacted customers – 1Password – seemingly detected the issue as far back as 29th September.

The password management platform’s chief technology officer, Pedro Canahuati, says 1Password detected suspicious activity on its Okta instance. The activity was immediately terminated and investigated. 1Password says that no evidence that user data was compromised has been found.

In addition, Cloudflare was also prey to the incident at Okta.

“On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance. While this was a troubling security incident, our Security Incident Response Team’s (SIRT) real-time detection and prompt response enabled containment and minimized the impact to Cloudflare systems and data. We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response,” Cloudflare’s security team wrote.

The firm points out that this is the second time it was impacted by a breach at Okta, the first happened in March 2022.

Furthermore, TechCrunch reports that security firm BeyondTrust was also affected by this breach.

Okta says it has contacted all customers who were impacted by this incident. If a customer hasn’t been contacted by Okta they can safely assume there was no impact to its environment.

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.