Network and security giant Cloudflare and password manager developer 1Password said hackers briefly breached their systems following a recent breach of Okta's support department. Cloudflare and 1Password both said their recent breaches were related to Okta's vulnerabilities, but that the incidents did not affect their customer systems or user data.
"We immediately terminated this anomalous activity and conducted an investigation and found no compromise of user data or other sensitive systems, either employee- or user-facing," 1Password Chief Technology Officer Pedro Canahuati said in a blog post. "We have confirmed that this was the result of a vulnerability in Okta's support system."
Okta, which provides single sign-on technology to companies and organizations, said late Friday that hackers had broken into its customer support department and stolen files uploaded by customers to diagnose technical issues. These files include browser session logs, which may contain sensitive user credentials such as cookies and session tokens, which, if stolen, can allow hackers to impersonate user accounts.
Okta spokesman Vitor DeSouza said that about 1% of Okta's 17,000 enterprise customers, or 170 organizations, were affected by the vulnerability.
In an attached report detailing the security incident, 1Password said the hackers used session tokens from a file that IT team members uploaded to Okta's support system for troubleshooting purposes earlier in the day. The session token allowed the hacker to use the IT member's account without requiring a password or two-factor code, giving the hacker limited access to 1Password's Okta panel.
1Password stated that the incident occurred on September 29, two weeks before Okta disclosed the details of the incident.
Cloudflare also confirmed in a blog post on Friday that hackers also used session tokens stolen from Okta support to attack its systems. Grant Bourzikas, Cloudflare's chief information security officer, said the Cloudflare incident began on October 18 and "the threat actors did not have access to any of our systems or data," in large part because Cloudflare uses hardware security keys that can evade phishing attacks.
Security firm BeyondTrust said it was also affected by the Okta intrusion but also quickly shut down the intrusion. BeyondTrust said in a blog post that it notified Okta of the incident on Oct. 2, but accused Okta of failing to acknowledge the breach for nearly three weeks.
This is Okta’s latest security incident after part of its source code was stolen in December 2022 and hackers released screenshots of Okta’s internal network in January 2022.
After security reporter Brian Krebs first reported news of the breach, Okta's stock price fell more than 11% on Friday, wiping out at least $2 billion in company value.