Cyber Incident Victim: AgileBits
Date:
Sep 2023
Location:
United States of America
Summary
A security incident involving AgileBits/1Password occurred when attackers exploited Okta's compromised support system to access the company's Okta tenant using a stolen session cookie from an IT employee's HAR file submitted during a support case. The threat actor attempted actions including modifying an identity provider tied to Google, activating it, and requesting administrative user reports, which triggered detection via an unexpected email notification. The organization confirmed no unauthorized access to user data or sensitive systems, attributing the breach to Okta's support incident. In response, 1Password rotated affected credentials, enforced stricter Okta configurations such as reduced administrative session durations, tightened multi-factor authentication rules, and decreased super administrator counts. Discrepancies arose between the company's findings and Okta's logs regarding the timeline of HAR file access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 29, 2023, 1Password detected suspicious activity within its Okta instance, which the company used to manage employee-facing applications. The activity was immediately terminated, and an internal investigation commenced. Initial findings indicated no compromise of user data or sensitive systems, including both employee-facing and user-facing infrastructure. The investigation later confirmed the incident originated from a breach of Okta’s Support System, as disclosed by Okta on October 20. Attackers exploited a session cookie stolen from a HAR file provided by a 1Password IT team member during an Okta support case. This file, created via Chrome Dev Tools, contained authentication credentials that allowed unauthorized access to 1Password’s Okta administrative portal. The threat actor attempted to access the IT team member’s user dashboard but was blocked by Okta’s systems. They then modified an existing Identity Provider (IDP) tied to 1Password’s production Google environment, activated the IDP, and requested a report listing administrative users. The breach was initially flagged when the IT team member received an unexpected email notification regarding the administrative report request, which had not been legitimately initiated.

1Password’s investigation, conducted in collaboration with Okta, confirmed the link to Okta’s Support System breach by October 20, though discrepancies arose regarding the timeline of HAR file access. Okta’s logs indicated the file was accessed after 1Password’s security incident, while 1Password maintained the compromise occurred during the support case. In response, 1Password rotated all affected credentials and implemented several security modifications to its Okta configuration. These included blocking logins from non-Okta IDPs, reducing administrative user session durations, enforcing stricter multi-factor authentication (MFA) requirements for administrators, and decreasing the number of super administrator accounts. The company reiterated that no user data or sensitive systems were accessed during the incident and confirmed its Google instance remained unaffected. Updates to 1Password’s incident report on October 25 incorporated additional logs provided by Okta, further solidifying the conclusion that the attack vector originated externally via Okta’s compromised support infrastructure.
