Hackers obtained valid credentials, but Okta doesn’t say how.
Identity and authentication management provider Okta said hackers managed to view private customer information after gaining access to credentials to its customer support management system.
“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Okta Chief Security Officer David Bradbury said Friday. He suggested those files comprised HTTP archive, or HAR, files, which company support personnel use to replicate customer browser activity during troubleshooting sessions.
“HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users,” Bradbury wrote. “Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”
Bradbury didn’t say how the hackers stole the credentials to Okta’s support system. The CSO also didn’t say whether access to the compromised support system was protected by two-factor authentication, which best practices call for.
Security firm BeyondTrust said it alerted Okta to suspicious activity earlier this month after detecting an attacker using a valid authentication cookie trying to access one of BeyondTrust’s in-house Okta administrator accounts. BeyondTrust’s access policy controls stopped the attacker’s “initial activity, but limitations in Okta’s security model allowed them to perform a few confined actions,” the company said without elaborating. Eventually, BeyondTrust was able to block all access.Advertisement
Beyond Trust said it notified Okta of the event but didn’t get a response for more than two weeks. In a post, BeyondTrust officials wrote:
FURTHER READING
First Microsoft, then Okta: New ransomware gang posts data from bothOkta has experienced multiple security or data breaches in recent years. In March 2022, circulated images showed that a hacking outfit known as Lapsus$ purportedly gained access to an Okta administration panel, allowing it to reset passwords and multifactor authentication credentials for Okta customers. The company said the breach occurred after the hackers compromised a system belonging to one of its subprocessors.
In December 2022, hackers stole Okta source code stored in a company account on GitHub.
Bradbury said Okta has notified all customers whose data was accessed in the recent event. Friday’s post contains IP addresses and browser user agents used by the threat actors that others can use to indicate if they have also been affected. The compromised support management system is separate from Okta’s production service and Auth0/CIC case management system, neither of which was impacted.