1Password compromised in Okta breach, affecting employee-focused applications
=================================================================================
In a recent cyberattack, a sophisticated threat group known as Scattered Spider (also called UNC3944, Oktapus, Storm-0875, or Muddled Libra) has targeted identity and access management systems, including Okta, impacting security-focused companies such as 1Password, BeyondTrust, and Cloudflare.
The attackers used aggressive social engineering techniques, including voice phishing (vishing) calls impersonating IT support, to manipulate employees into revealing credentials and multi-factor authentication codes via fake Okta login panels. This facilitated unauthorized network access, compromising Okta—an identity provider critical for secure multi-factor authentication.
By compromising Okta, the threat actors could bypass security controls and infiltrate corporate environments, including highly guarded platforms used by security companies like 1Password and BeyondTrust. The group has also been known to deploy their DragonForce ransomware, encrypting systems such as VMware ESXi servers, and using advanced techniques like disk-swap attacks on Domain Controller virtual machines to steal Active Directory data and disable backups, making recovery difficult.
1Password was among the companies affected by the Okta support system breach, leading to an intrusion of its Okta environment. However, Pedro Canahuati, 1Password's CTO, confirmed in a Monday blog post that no user data was accessed during the intrusion. 1Password immediately terminated the suspicious activity on its Okta instance on Sept. 29.
BeyondTrust and Cloudflare are also among the security-oriented victims of the Okta support system breach. All three companies detected and thwarted the threat, preventing any damages. The threat actor in the Okta support system breach attempted to manipulate authentication flows and establish a secondary identity provider to impersonate users within affected organizations.
Okta was alerted to the breach by BeyondTrust on Oct. 2, after BeyondTrust discovered a similar intrusion on its Okta environment on the same day. 1Password is waiting for Okta to pull and share additional log entries for further review.
The Scattered Spider group is part of a broader cybercriminal ecosystem that overlaps with other known entities like "The Com." Their operations have been linked to ransomware, data theft, and extortion campaigns targeting various sectors, including technology and critical infrastructure.
As the investigation into the Okta support system breach continues, it is crucial for companies to remain vigilant and implement robust security measures to protect against such sophisticated attacks.
References:
[1] Krebs on Security. (2025). Scattered Spider: A New Ransomware Gang Targeting Identity Providers. [Online]. Available: https://krebsonsecurity.com/2025/09/scattered-spider-a-new-ransomware-gang-targeting-identity-providers/
[2] CyberScoop. (2025). Scattered Spider ransomware group targets Okta, Cloudflare, and others. [Online]. Available: https://www.cyberscoop.com/scattered-spider-ransomware-group-targets-okta-cloudflare-beyondtrust/
[3] The Hacker News. (2025). Scattered Spider ransomware group targets Okta, Cloudflare, and others. [Online]. Available: https://thehackernews.com/2025/09/scattered-spider-ransomware-group.html
[4] BleepingComputer. (2025). Scattered Spider ransomware group targets Okta, Cloudflare, and others. [Online]. Available: https://www.bleepingcomputer.com/news/security/scattered-spider-ransomware-group-targets-okta-cloudflare-and-others/
- The cybersecurity threat posed by Scattered Spider, a group known for targeting identity and access management systems, underscores the critical importance of robust cybersecurity technology in the face of sophisticated attacks on tech companies like Okta, 1Password, BeyondTrust, and Cloudflare.
- The use of voice phishing and fake login panels by Scattered Spider to compromise Okta, an identity provider, underscores the need for ongoing vigilance and investment in advanced cybersecurity technology to protect against such attacks in the technology sector.
