Okta Breach
Would someone mind adding info to help us clarify if we should worry about the Okta security breach?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
-
I'm more worried about trusting an organisation with my data that lets their employees use a laptop on hotel WiFi to upload files to Okta. Perhaps 1PW can comment on that?
2 -
I'm baffled by that too. My job is no where near as sensitive as 1Passwords where we all expect paramount levels of security. Yet on my work Macbook network access is VPN only, EDR is used (Not a free copy of Malwarebytes AV), everyone has a hardware key for MFA by default, etc.
Granted it's not as if we got a Lastpass disaster on our hands but apparently this places IT security is just as lax??
0 -
Was the employee mentioned in the report working for Okta or 1Password?
0 -
According to bleepingcomputer it was a1PW IT support person who uploaded a HAR file to Okta. Either way using hotel Wi-Fi is hardly the epitome of good security practice for either organisation in their industry.
0 -
The biggest takeaway isnt the hotel Wifi but the lack of hardware keys for all Okta admins at 1PW. Whether they were on hotel wifi or not having mandatory hardware keys for access to sensitive internal applications should have been in place before.
Also this is an Okta issue not 1PW.
0 -
Hello everyone,
No action is required on your part. This incident was limited to our Okta instance for employee apps, and no user data or sensitive information was accessed. We have no user recommended actions as a result of this incident.
We are committed to continuously improving our security protocols. Post-incident, we reviewed all Okta configurations and have enhanced our MFA protections, by adopting Okta’s Adaptive MFA, thereby strengthening our overall security posture to prevent similar incidents in the future
We want to clarify that MFA protections have always been a fundamental aspect of our security framework. The recent enhancements were an added layer, elevating our already steadfast security measures. These diligent actions fortify our defenses, making certain that such incidents are robustly safeguarded against in the future. Rest assured, we are unwavering in our commitment to protecting your data with the most rigorous security protocols available.
While the free version of Malwarebytes was employed post-incident, it was one of the rapid response tools we picked from our toolbox and does not represent the entirety of our endpoint security strategy.
The breach at Okta had no adverse effect on 1Password’s operations or the service provided to our users. Our quick and decisive actions ensured that our production operations remained unaffected and ran smoothly without disruptions. You can confidently continue using our services, knowing that maintaining consistent and secure operations is always our top priority.
Your trust is paramount to us and while no user data was impacted, we have chosen to make this information public out of an abundance of transparency.
-Dave
1 -
Well, I used to have an account at LastPass and their incident started in a similar way. A tech guy was hacked, no user data touched at this point, months later the hackers used the information gotten in this incident to retrieve user vaults that are now out there being decrypted as we speak.
So... If your guy was using a hotel wifi without the enforced need for a hardware key and vpn and other measures, how are we sure that on Okta you didn't just lost the keys to the Kingdom like what with LastPass?
1 -
I understand your concerns and want to provide a clear picture of the recent incident. Our in-depth investigation reveals that no user data or sensitive information was accessed or compromised during the breach.
If the attack had been successful, they could have accessed limited employee information, but not user data or our production services.
All of the information stored in 1Password accounts is end-to-end encrypted, and only the person who creates an account holds the keys. When you create a 1Password account, you choose an account password. This password, combined with the Secret Key, keeps the information inside of your account safe. These details are also never shared with anyone else, including us here at 1Password.
If you’d like to, you can learn more about the 1Password security model. If you want an even deeper dive into our security design, you can review our white paper.
Let me know if you have any other questions about the security of 1Password!
-Dave
0 -
Hello all,
over the last couple of days, since I learned about the incident, I've worked my way through the 1Password Security Design Whitepaper, which is also linked in Dave's post above.
Now, I am in no way an IT security professional, merely an interested layman (by trade, I am a physician for Radiology and Nuclear Medicine and I lecture as a Professor for Nuclear Medicine at the LMU in Munich).
But as far as I can gather from the Whitepaper, there are certain design choices in place (two-secret key derivation, secure remote password) that do not leave enough information on 1Password's servers to compromise our password vaults, even in case of a data breach that leads to the theft of the encrypted vaults. If - and here comes the caveat - if everything has been correctly implemented by 1Password as stated in the Whitepaper without any unintentional or unidentified security holes.
And I think this is, where we have to take their word for it.
I tried to read into the external security audition reports that are provided by 1Password (https://support.1password.com/security-assessments/) to glean further information from there. However, they mostly go beyond the scope of what I can understand. Maybe other members of the forum can make more use of them.So, while I am still concerned about the incident, for now I feel mostly reassured that all my secrets stored in 1Password are still safe.
Nevertheless, I will carefully monitor any activity in my accounts over the next weeks and months, just in case anything unusual happens.-Sebastian
2 -
A good summary, and your statement "here comes the caveat - if everything has been correctly implemented by 1Password as stated in the Whitepaper without any unintentional or unidentified security holes" is fundamental. Like you, I don't have the knowledge to fully understand the detail of the security audits, but on the face of it they focus on the technical infrastructure and not business processes. Dave states that they could have accessed limited employee information - then where does that lead to if that employee becomes personally compromised?
Just remember your highly valuable personal data isn't in the "cloud", it's on someone elses computer admistered by someone you don't know, beholden to shareholders.
2 -
Thank you!
You have a valid point there.
The questions is only: where should we go from here?In the end, with most solutions that are feasible for laymen that can't or don't want to spend an inordinate amount of time on the subject, it comes down to trusting at least someone.
Even with open source software that I cannot review myself, I have to trust the people who can to find holes in the security defenses and fix them properly. Even though I understand that there is a higher amount of mutual control than in closed source environments.
However, setting many of those solutions up and implementing them in a way that they deliver the same experience as 1Password and comparable password managers with the same ease, seems daunting to me.That is why I will stick with my current setup and monitor the situation.
Certain, very critical secrets - e.g. my Apple ID - I have protected with additional measures like hardware keys. But I do have to acknowledge that someone with unlimited access to my 1Password vault could wreck irreversible havoc in my life.0 -
RE: "...here comes the caveat - if everything has been correctly implemented by 1Password as stated in the Whitepaper without any unintentional or unidentified security holes."
While perfection can never be guaranteed, the fact that AgileBits conducts ongoing independent security audits of 1Password is encouraging (see here).
1 -
...Additionally, the 1Password bug bounty program likely contributes to the integrity of the application.
0 -
Thank you to everyone for adding to the discussion and for linking to our third-party security audits and bug bounty program.
At 1Password, the security of the data you trust us with is our top priority. Our security model is designed such that no one other than you, and people you intentionally share with, can decrypt the data stored within your 1Password vaults. This means that even in a scenario where a 1Password employee’s access was compromised, items you store in 1Password would not be at risk.
We're committed to keeping your data safe and sound. If you have any further questions or need more clarity, please feel free to reach out. We're here for you.
-Dave
0 -
Outsourcing identity and access management to Okta means outsorcing parts of the security and credentials management to Okta. I have to admit that I am quite unhappy about 1Password's decision to do that because I would never trust Okta's security model because they are the one's who grant access to the customer's IT systems and they are the one who are targeted by every hacker all over the world. Okta is a young company providing services to companies that don't understand IT security very well. I know this sounds harsh but I really would like to see 1Password to become more self sufficient in this area of expertise.
0 -
Okta has a history of breaches, as reported by reputable sources such as Wired and The Register, and others which have provided damning analysis. Personally, I was a fan of 1PW when it was still the original organization. Currently, I am using 1PW 7 as a standalone application on my iMac, and I sync my data locally with iOS. This way, I have full control over the whereabouts of my data, without any uncertainty about who is actually managing it.
In the pursuit of financial support, 1PW has attracted the attention of prominent figures from the film industry, including Ryan Reynolds, Scarlett Johansson, Robert Downey Jr., Chris Evans, Matthew McConaughey, Rita Wilson, Ashton Kutcher, Trevor Noah, Justin Timberlake, and Pharrell Williams. These individuals are not tech entrepreneurs with a vested interest in data security. While diversifying funding sources is a common practice, it raises concerns about 1PW's commitment to its original objectives. It seems that the company may now prioritize investor returns over its core competencies, as evidenced by its partnerships with less-than-optimal outsourcing agencies. This shift in focus prompts the question whether 1PW has lost sight of the qualities that once made it attractive.
0 -
We started using Okta to better understand our customers' experiences with an SSO provider and to build better products that integrate with them. Okta is one of the top feature rich SSO providers, helping us to add and remove access for 1Password employees to internal applications we use.
As I mentioned in my earlier post, if the attack had been successful, they could have accessed limited employee information, but not user data or our production services.
We are committed to continuously improving our security protocols. Every decision we make will be in the best interest of maintaining the robust security and integrity of our users’ data. Your trust is invaluable, and we’re committed to making choices that fortify your confidence in our services.
-Dave
0