Last month, Avertium published a flash notice warning users of a critical breach impacting Okta Inc. This week, the company has a stated that the threat actors behind the breach stole a file containing information on all users of its customer support system.
Okta informed its customers that threat actors obtained a report containing data, such as names and email addresses, of all clients utilizing its customer support system. Additionally, a notable portion of the affected users are administrators, with 6% of them not having activated multi-factor authentication to guard against unauthorized login attempts.
While Okta stated that there is no known evidence that the stolen data was exploited, they have notified all of their customers that the report is a security risk for phishing and social engineering. Okta further stated that user credentials have not been exposed. Avertium’s recommendations from October still apply.
Okta Inc., an identity and access management company, disclosed its most recent security breach this week. According to the official statement released by Okta, the breach involved "adversarial activity leveraging access to a stolen credential to infiltrate Okta's support case management system." The threat actor, using the stolen credentials, managed to access files uploaded by specific Okta customers as part of recent support cases.
It's important to note that the compromised support case system is different from the main Okta production service, which remains unaffected by this breach. Additionally, Okta's Auth0/CIC case management system was not impacted by the security breach.
Okta has already notified and is cooperating with customers that were impacted. In this breach, attackers gained access to files containing cookies and session tokens uploaded by customers to Okta's support management system. Therefore, Okta advises all customers to sanitize their credentials and cookies/session tokens within an HAR file before sharing it. Okta did not disclose the number of customers impacted or how the stolen credentials were obtained.
The situation has taken an interesting turn, as one affected customer, BeyondTrust Corp., publicly shared its experience, revealing a concerning lack of responsiveness from Okta. BeyondTrust detected an identity-centric attack on an in-house Okta administrator account on October 2 but received no acknowledgment from Okta until October 19, despite timely alerts to the potential breach.
Cloudflare Inc. has also come forward, reporting that it detected attacks on its systems on October 18, which were traced back to Okta. While Cloudflare successfully protected its customers, the company raised concerns about Okta's response time. 1Password has also been affected by the Okta breach. The company's Chief Technology Officer, Pedro Canahuati, stated that they detected suspicious activity on September 29 on an employee-facing app, but they were able to terminate the activity immediately. 1Password also successfully protected its employees, with no compromise of user data.
This is the second breach that Okta has faced within a two-year span. The company was the victim of an attack via Lapsus$ in March 2022. Internal documents were stolen in that attack, and the breach was not disclosed until much later. Please see Avertium’s recommendations below.
INDICATORS OF COMPROMISE (IoCs)
Okta’s published announcement from the company’s Chief Security Officer, David Bradbury, states the following regarding User Agents:
“While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.”