%20(1).webp "Okta Alerts of Credential Stuffing Attacks on Customer Identity Cloud")
Okta, a prominent identity and access management company, has issued a warning regarding credential stuffing attacks aimed at its Customer Identity Cloud (CIC) platform. The company has detected that threat actors are taking advantage of the cross-origin authentication feature within CIC to carry out these attacks.
In line with its Okta Secure Identity Commitment, the company continuously monitors and assesses any potentially suspicious activities, ensuring that customers are promptly informed of any threats that may arise. This proactive approach to cybersecurity is part of Okta’s dedication to ensuring the safety and security of its users’ identities and data.
Credential stuffing is a type of cyberattack where malicious actors attempt to gain unauthorized access to online services by using extensive lists of usernames and passwords. These credentials are typically acquired through previous data breaches, phishing schemes, or malware attacks. Okta has observed that the endpoints supporting the cross-origin authentication feature are being specifically targeted in these attacks across multiple customers.
The suspicious activity related to these attacks was first identified on April 15. Okta has advised its customers to carefully review their logs for any unusual activity from that date onwards. To assist with this review process, the company has provided specific log events to look out for, such as “fcoa” for failed cross-origin authentication, “scoa” for successful cross-origin authentication, and “pwd_leak” for attempted logins with leaked passwords.
Customers are encouraged to scrutinize their tenant logs for any unexpected fcoa, scoa, and pwd_leak events. If tenants who do not use cross-origin authentication discover scoa or fcoa events in their logs, they may have been targeted in a credential stuffing attack. Similarly, tenants using cross-origin authentication should be vigilant for any unusual spikes in scoa events or an increase in the ratio of failure-to-success events, indicating a potential attack.
As a precautionary measure, Okta recommends that users whose passwords may have been compromised in a credential stuffing attack should immediately rotate their credentials.
To protect themselves from such attacks, Okta has outlined a series of recommendations for its users. These include implementing longer-term solutions like passwordless, phishing-resistant authentication, as well as medium and short-term mitigations such as strong password policies, multi-factor authentication, and disabling unused endpoints.
By taking proactive steps and adhering to the security guidelines provided by Okta, customers can enhance the protection of their identities and safeguard the security of their online services against credential stuffing attacks. The company’s commitment to proactive monitoring and detailed guidance underscores its dedication to ensuring the safety and security of its customers’ digital identities.