The team behind the popular password manager 1Password disclosed a security incident linked to the recent breach at identity service provider Okta.

“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” 1Password’s Chief Technology Officer Pedro Canahuati wrote in a blog post.

1Password said that the threat actors gained access to its Okta environment using a stolen session cookie for a member of the IT team.

“A member of the IT team was engaged with Okta support, and at their request, created a HAR file from the Chrome Dev Tools and uploaded it to the Okta Support Portal. This HAR file contains a record of all traffic between the browser and the Okta servers, including sensitive information such as session cookies,” the company explained.

1Password said there is no indication that the attackers accessed any other systems. The company believes that the goal of the breach was to collect information for “a more sophisticated attack.”

Following the incident, 1Password rotated the IT team member’s credentials for all systems, switched to only using a Yubikey for MFA, and implemented additional restrictions to their Okta account. It also made changes to Okta configuration, including denying logins from non-Okta IDPs, reducing session times for administrative users, tighter rules on MFA for administrative users, and cutting down the number of super administrators.