Okta Reports Breach Due to Stolen Credentials
by Nico Pätzel
Attackers Gain Access to Customer Data
Okta, a leading identity management and authentication company, has disclosed a recent security breach where attackers gained access to its support management system using stolen credentials. Although the breach did not impact Okta's production service, it raised concerns about the security of customer data uploaded to the support system.
Support System Breached
According to Okta's Chief Security Officer, David Bradbury, the threat actors were able to access files, including cookies and session tokens, uploaded by certain customers as part of recent support cases. This breach occurred in the support case management system, which is distinct from the production Okta service.
Potential Data Exposure
While specific details about the exposed customer information remain undisclosed, the breached support system was used to store HTTP Archive (HAR) files. These files contain sensitive data like cookies and session tokens, which could be exploited by threat actors to compromise customer accounts. HAR files capture browser activity data, including visited pages, headers, and other relevant information.
Response and Mitigation
During the incident investigation, Okta worked closely with affected customers to address the breach. Session tokens embedded in shared HAR files were revoked to mitigate further risks. Okta now advises all customers to sanitize their HAR files before sharing them to prevent the inadvertent exposure of credentials and session data.
BeyondTrust's Perspective
BeyondTrust, one of Okta's affected customers, played a crucial role in detecting the breach. They observed an attempt to access an Okta administrator account using a stolen cookie on October 2nd and alerted Okta. However, it took Okta over two weeks to confirm the breach. Despite some limited actions by the malicious actor, BeyondTrust stated that its systems and customers were not adversely affected.
Cloudflare's Involvement
Cloudflare also detected malicious activity linked to Okta's breach on its servers on October 18, 2023. The attackers leveraged an authentication token stolen from Okta's support system to gain access to Cloudflare's Okta instance with administrative privileges. Cloudflare's swift response contained the impact, and no customer information or systems were compromised.
Repeated Security Incidents
This breach adds to a series of security incidents for Okta in recent years. In January 2022, customer data was exposed when the Lapsus$ group gained access to Okta's administrative consoles. Additionally, one-time passwords (OTPs) delivered to Okta customers via SMS were stolen by the Scatter Swine threat group in August 2022. Auth0, an Okta-owned authentication service provider, also suffered a security incident where source code repositories were stolen in September.
These repeated breaches highlight the importance of robust cybersecurity measures and vigilant monitoring in the face of evolving threats.