In a blog post, 1Password says that “suspicious activity” was detected in one of its employee-facing Okta systems. This suspicious activity was the result of an Okta data breach. Thankfully, 1Password claims that it “has found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” meaning that customers’ passwords are safe.
The “suspicious activity” occurred on September 29th. It was quickly detected and terminated by 1Password. An investigation into the problem began shortly thereafter, and 1Password worked with Okta to find the hacker’s attack vector. Okta later determined that the attack vector was, in fact, its own customer support system. This system, which is used to mirror and troubleshoot customers’ web activity, contains session tokens and other data that may be used to hack or impersonate users. Okta reached out to affected customers on October 19th and disclosed the data breach on October 20th.
Okta is an identity-management service that provides cybersecurity for several high-profile companies. It fell victim to a data breach in January 2022, meaning that this is the second major Okta breach in two years. You may know Okta from the cyberattacks that took out Las Vegas casinos in September 2023—Caesars Entertainment and MGM Resorts are among Okta’s customers. To be clear, Okta was not compromised during the casino cyberattacks. Hackers simply targeted the IT personnel at casinos.
The full scope of this data breach is unknown. That said, 1Password isn’t the only company that found “suspicious activity” in its Okta systems. BeyondTrust says that it reported a potential data breach to Okta on October 2nd. This report was not acknowledged by Okta until October 19th, according to BeyondTrust.
We don’t know why Okta held off on cooperating with BeyondTrust, or why it took two weeks for Okta to disclose the breach. Wells Fargo analyst Andrew Nowinski speculates that Okta “was unaware of the breach and did not have the internal capabilities to detect this behavior.” That said, there isn’t enough evidence to support Nowinkski’s assessment, and we rarely learn of a data breach immediately after it occurs.
To reiterate, this incident only affected 1Password’s employee-facing Okta systems—1Password itself was not hacked, and your passwords were not compromised. This isn’t a nightmare-level LastPass situation. Note that 1Password user databases are encrypted. If a hacker manages to steal your database from 1Password, they’ll also need to gain access to your phone or computer to retrieve a decryption key.