Keeper Connection Token
Service Name: Keeper Security
Service Description: Keeper Security is a zero-knowledge cybersecurity platform that provides password management, secrets management, secure file storage, and encrypted messaging solutions for businesses and individuals.
Service Address: https://keepersecurity.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the enterprise level through Keeper's Admin Console.
Secret Access Scope: Grants programmatic access to Keeper's Enterprise API, allowing applications to interact with the Keeper vault system, manage records, folders, and teams.
Secret Revokement URL: https://docs.keeper.io/enterprise-guide/commander-cli#token-revoke
Secret Example: US:XXkkvvttpp8899aayymmUU:Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Suspicious Activity Investigation Instructions:
- Review Keeper's audit logs for unusual access patterns or unauthorized record access.
- Check for unexpected API calls or operations performed using the connection token.
- Monitor for unauthorized sharing of records or changes to sharing permissions.
- Verify if the token has been used from unusual geographic locations or IP addresses.
- Review any changes to vault structure, record creation, or deletion that occurred during the suspected compromise period.
Mitigation Instructions:
- Immediately revoke the compromised token using Keeper Commander CLI with the command:
keeper token revoke <token_id>. - Generate a new connection token if needed for legitimate applications.
- Review and update access controls for the affected Keeper account.
- Enable two-factor authentication if not already in place.
- Consider implementing IP restrictions for API access through the Keeper Admin Console.
- Review all vault activity during the suspected compromise period and revert any unauthorized changes.
- Update any credentials that may have been exposed through the compromised token.