Okta, the identity and access management (IAM) vendor, recently released a detailed timeline of a breach that occurred in its customer support case management systems. This breach resulted in a threat actor hijacking sessions for five of Okta’s customers. Last month, Okta disclosed that a threat actor had used stolen credentials to breach its support case management systems and gain access to customer data. However, the company did not provide many details about the breach at the time, leaving many questions unanswered.
To fill in some of the missing details, three affected customers, namely 1Password, BeyondTrust, and Cloudflare, published their own blog posts. 1Password’s CTO, Pedro Canahuati, stated that his company detected threat activity related to the breach on September 29th. BeyondTrust alerted Okta about a potential breach on October 2nd, while Cloudflare took a more critical stance in their blog post titled “How Cloudflare Mitigated Yet Another Okta Compromise.”
In a recent post authored by Okta CSO David Bradbury, the company provided greater clarity and context about the attack, along with a detailed timeline. This new post appears to have replaced Bradbury’s earlier post entirely. According to Bradbury’s latest update, an unnamed threat actor gained unauthorized access to files in Okta’s customer support system from September 28th to October 17th. These files were associated with 134 Okta customers, which represents less than 1% of the company’s total client base.
One concerning aspect of the breach was the access to HAR (HTTP Archive) files that contained session tokens, which could be used for session hijacking attacks. The threat actor used these tokens to hijack Okta sessions belonging to five customers, three of which were 1Password, BeyondTrust, and Cloudflare. The other two customers affected were not named in the post.
Okta’s CSO claimed that the customer support system was most likely accessed through an employee’s compromised Google account. It was discovered that an employee had signed into their personal Google profile on the Chrome browser of their Okta-managed laptop. The service account’s username and password had been saved into the employee’s personal Google account. This unauthorized access leveraged a service account stored within Okta’s customer support system, which had permissions to view and update customer support cases.
According to the timeline provided by Okta, the company initiated its investigation on September 29th after receiving a report from 1Password. Despite actively investigating for 14 days, Okta did not identify suspicious downloads in its logs. It was later revealed that the threat actor had accessed data by navigating to the Files tab in the customer support system, which generated a different log event type and ID. The necessary indicator to identify the additional file access events associated with the compromised account was only provided by BeyondTrust on October 13th when they shared a suspicious IP address with Okta.
In response to this breach, Okta has implemented new detections that cover both log entries indicating a file download event. These measures aim to address the issue and prevent similar breaches in the future. Okta continues to investigate the incident and is working with affected customers to mitigate any potential risks.
The breach highlights the importance of maintaining strong security practices, including regularly updating passwords and avoiding the use of personal accounts for work purposes. It also emphasizes the need for organizations to have robust detection and response mechanisms in place to identify and mitigate security incidents promptly.
In conclusion, Okta’s detailed timeline provides a clearer picture of the recent breach in its customer support case management systems. The breach resulted in a threat actor hijacking sessions for five customers and accessing files associated with 134 Okta customers. Okta has taken steps to address the issue and enhance its security measures, while continuing to work with affected customers to minimize any potential impact.