Okta Customer Support Breach Exposed Data on 134 CompaniesOkta Customer Support Breach Exposed Data on 134 Companies
1Password, BeyondTrust, and Cloudflare were among five customers directly targeted with stolen Okta session tokens, the company's CSO says.
November 3, 2023
Okta has confirmed that threat actors were able to breach its customer support system and steal files related to 134 of its customers, which is less than 1% of the identity and access management (IAM) company's total roster. Out of those, Okta says cyberattackers went on to target five specific customers with the stolen data, including BeyondTrust, 1Password, and Cloudflare.
The stolen customer support files were HAR files containing session tokens, Okta's chief security officer David Bradbury explained in a detailed blog post about the incident this week.
An investigation into the hack revealed an Okta employee's credentials were compromised on a personal device, which likely led to the initial breach.
"During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop," Bradbury explained. "The username and password of the service account had been saved into the employee’s personal Google account."
According to a timeline of events provided by Okta, 1Password was the first customer to reach out to Okta with a report of suspicious activity on Sept. 29. By Oct. 2, BeyondTrust had reported a similar issue. By using those indicators of compromise and associated IP addresses, Bradbury said his team was able to identify other targeted customers, including Cloudflare.
All affected session tokens embedded in the compromised HAR files have since been revoked.
Okta has also taken the step of blocking any future Google Chrome sign-ins on Okta-managed laptops using a personal Google account. Furthermore, the company added a feature tying Okta admin tokens to network location data, Bradbury added.
"Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators," Bradbury reassured Okta customers. "Okta administrators are now forced to re-authenticate if we detect a network change."
The detailed explanation from Okta comes after a series of brutal cybersecurity incident plagued the company, including being used to breach MGM Resorts. Most recently, Okta's employee data was compromised through a third-party healthcare vendor.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK Coverage
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report