Okta is in the headlines for a data breach yet again. This time, malicious actors managed to compromise its customer support unit and steal sensitive information.
According to Okta, the impact of this breach was contained to what they describe as a “very small number” of customers. However, it’s come to light that the attackers responsible actually had unauthorized access to Okta’s support platforms for over two weeks before the company successfully mitigated the intrusion.
Here’s everything you need to know.
In a blog post on Friday, Okta shared that threat actors had managed to breach Okta’s support management system using stolen credentials. As of now, it remains undisclosed how the threat actors obtained credentials, and we don’t know whether two-factor authentication measures were in place.
Regardless, once inside, they accessed HTTP Archive (HAR) files, which are used to identify and remediate performance issues.
Because these HAR files log browser interactions, they inherently contain sensitive data like cookies and session tokens. Armed with this information, threat actors could potentially compromise customer accounts.
“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” said Okta’s Chief Security Officer David Bradbury.
He also highlighted that Okta’s support case management system operates separately from the main Okta production service, which remains fully operational and unharmed by this incident.
Okta’s CSO also reassured customers that this breach did not extend to the Auth0/CIC case management system, safeguarding another facet of their services.
In response to the breach, Okta notified all customers whose Okta environments or support tickets were affected by the intrusion. However, as you’ll discover below, some customers recognized the breach before Okta did.
Okta customers sounded the alarm
BeyondTrust, another prominent figure in identity management, shared that it was one of the affected customers in the Okta security breach. According to BeyondTrust, their security team successfully detected and thwarted an attempt to access an internal Okta administrator account on October 2nd.
They further shared that the attackers had exploited a cookie stolen from Okta’s support system to carry out this unauthorized login attempt. Although BeyondTrust raised the alarm to Okta on the day of the incident, they heard nothing in return.
“We raised our concerns of a breach to Okta on October 2nd. Having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta until October 19th when Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers,” BeyondTrust stated.
BeyondTrust also detailed that their security measures, including “custom policy controls,” successfully thwarted the attack. However, due to certain “limitations in Okta’s security model,” the malicious actor managed to carry out a few restricted actions.
Importantly, BeyondTrust emphasized that the attacker did not gain access to any of their systems, and their customers remained unaffected.
Additionally, Cloudflare, another security vendor, identified malicious activity linked to the Okta breach on their servers on October 18, 2023. Cloudflare’s security team detected and responded to the incident quickly, confirming in a statement that none of their customer information or systems were compromised by this event.
In this case, the attackers leveraged an authentication token taken from Okta’s support system to pivot into Cloudflare’s Okta instance, exploiting an open session with administrative privileges.
Like BeyondTrust, Cloudflare contacted Okta about the incident a day before Okta sounded the alarm themselves.
This high-profile security incident is the most recent addition to a series of breaches associated with Okta and its products. Earlier attacks include notable cases involving Caesars Entertainment and MGM Resorts, where attackers social-engineered employees into resetting the multi-factor login requirements for Okta administrator accounts.
Perhaps because of its track record, or the delay in identifying and mitigating the incident, the repercussions of this breach have been financially significant.
Okta’s shares experienced a sharp decline of over 11% on the Friday following the announcement. This decline amounted to a loss of more than $2 billion in the company’s market cap.
As of this week, the downward trajectory of Okta’s stock continues, with the company closing with an 8.1% decrease on Monday.