Network and security giant Cloudflare and password manager maker 1Password said hackers briefly targeted their systems following a recent breach of Okta’s support unit.
Both Cloudflare and 1Password said their recent intrusions were linked to the Okta breach, but that the incidents did not affect their customer systems or user data.
“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” said 1Password chief technology officer Pedro Canahuati in a blog post. “We’ve confirmed that this was a result of Okta’s support system breach,” said Canahuati.
Ars Technica first reported that 1Password was affected by Okta’s breach.
Okta, which provides single sign-on technology to companies and organizations, said late on Friday that hackers had broken into its customer support unit and stole files uploaded by its customers for diagnosing technical problems. These files include browser recording sessions that can contain sensitive user credentials, such as cookies and session tokens, which if stolen can allow hackers to impersonate user accounts.
Okta spokesperson Vitor De Souza told TechCrunch that about 1% of its 17,000 corporate customers — or 170 organizations — were affected by its breach.
In an attached report detailing the security incident, 1Password said the hackers used a session token from a file that had been uploaded by a member of the IT team earlier in the day to Okta’s support unit system for troubleshooting. The session token allowed the hackers to use the IT member’s account without needing their password or two-factor code, granting the hacker limited access to 1Password’s Okta dashboard.
1Password said the incident occurred on September 29, two weeks before Okta went public with details of the incident.
Cloudflare also confirmed in a blog post on Friday that hackers similarly targeted its systems using a session token stolen from Okta’s support unit. Cloudflare’s chief information security officer Grant Bourzikas said Cloudflare’s incident, which began on October 18, resulted in “no access from the threat actor to any of our systems or data,” in large part because Cloudflare uses hardware security keys that evade phishing attacks.
Security company BeyondTrust said it was also affected by Okta’s breach, but that it also quickly shut down its intrusion. In a blog post, BeyondTrust said it notified Okta of the incident on October 2, but accused Okta of not acknowledging the breach for almost three weeks.
This is Okta’s latest security incident, following the theft of some of its source code in December 2022, and an incident earlier in January 2022 where hackers posted screenshots of Okta’s internal network.
Okta’s stock price dropped more than 11% on Friday — wiping at least $2 billion off the company’s value — following news of the breach, which was first reported by security journalist Brian Krebs.