Okta Warns Once Again of Credential-Stuffing Attacks

For the second time in just more than a month, identity management service provider Okta is warning of credential-stuffing attacks, this time against the cross-origin authentication feature of its Customer Identity Cloud (CIC) authentication offering.

The "suspicious activity" started on April 15, when Okta observed that the endpoints used to support CIC's cross-origin authentication feature first being attacked for "a number of our customers," according to a warning posted on the company's website earlier this week.

Credential-stuffing attacks occur when adversaries attempt to sign in to online services using large lists of usernames and passwords, likely obtained from previous data breaches, phishing, or malware campaigns.

Late last month, Okta also warned of a rash of similar attacks against its service around the same time frame; those attacks were made largely through an anonymizing device such as Tor or routed through various residential proxies such as NSOCKS and Datalmpulse.

Okta has "proactively" informed customers with the cross-origin authentication feature enabled of the attacks and provided detailed guidance for mitigation and prevention.

Identifying a Cyberattack on CORS

The cross-origin authentication is part of Okta's Cross-Origin Resource Sharing (CORS) feature, which allows a webpage to make an Ajax call using XML requests, so customers can enable JavaScript running on a browser client to interact with resources from a different origin.  

"Such cross-domain requests would otherwise be forbidden by Web browsers as indicated by the same origin security policy," according to an Okta developer resource page. "CORS defines a standardized way in which the browser and the server can interact to determine whether to allow the cross-origin request."

Okta customers using CORS should review the following events in their tenant logs to determine if they were targeted: "FCOA," or failed cross-origin authentication; "SCOA," or successful cross-origin authentication; and "pwd_leak," or someone attempting to log in with a leaked password.

Even if a customer's tenant does not use cross-origin authentication but SCOA or FCOA events are present in the event logs, it's still likely that the tenant has been targeted, according to Okta.

Further, if a tenant using cross-origin authentication either saw a spike of SCOA events in April or an increase in the ratio of failure-to-success events — that is, FCOA/SCOA — then it also is likely the tenant was targeted.

Customers at risk of the attacks also can restrict permitted origins and enable breached password detection for affected tenants.

Further Defense Against Credential-Stuffing

Given that credential-stuffing attacks are becoming a recurring issue for Okta customers — among myriad other organizations —the company also provided guidance for long-term defense to prevent them from occurring. Indeed, high-profile customers such as 23andMe, Roku, and Hot Topic apparel brand have all been victims of these types of attacks.

To prevent them, organizations should enroll users "in passwordless, phishing-resistant authentication," according to Okta, which also suggested that passkeys are the "most secure option."

If an organization continues to use passwords, administrators should prevent users from choosing weak passwords, requiring them to choose a "minimum of 12 characters and |no parts of the user name," according to Okta. Multifactor authentication (MFA) also can help prevent credential-stuffing attacks from being successful; in fact, Roku mandated this defense after its high-profile attack.

Further, Okta tenants not using cross-origin authentication can disable endpoints to eliminate the attack vector entirely, Okta said. And obviously, the company noted, any passwords compromised in a credential-stuffing attack should be changed immediately.