In a recent incident, identity and access management company Okta experienced a security breach in their support system. Attackers were able to gain access to the system using stolen credentials and extracted valid customer session tokens from uploaded support files, according to a report by the firm.
Okta’s strong multifactor authentication (MFA) policies played a crucial role in detecting and mitigating the unauthorized access. One of the impacted customers had robust MFA policies in place, which allowed them to identify the breach, block the unauthorized access, and promptly report it to Okta.
The breach occurred when Okta support requested customers to upload an HTTP Archive (HAR) file, which is used for troubleshooting issues by replicating browser activity. Unfortunately, HAR files can also contain sensitive data such as cookies and session tokens, which malicious actors can exploit to impersonate valid users.
The incident came to light when security engineers from BeyondTrust, an identity and access security solutions provider, discovered that their in-house Okta administrator account had been hijacked. The company’s security team had implemented policy controls that flagged a suspicious authentication attempt originating from an IP address in Malaysia.
BeyondTrust had enforced a policy in the Okta environment that only allowed access to the Okta admin console from managed devices on which Okta Verify, a multifactor authentication application developed by Okta, was installed. As a result, when the attacker attempted to access the admin console using the stolen session token, they were prompted for MFA authentication. This additional layer of security foiled the attacker’s attempt, despite having a valid session token.
The BeyondTrust security team emphasized the importance for Okta customers to enhance their security policies by implementing measures such as requiring admin users to undergo MFA for every sign-in. They also highlighted that even though the attacker had hijacked an existing session, Okta’s system treats dashboard access as a new sign-in and prompts for MFA.
Okta has acknowledged the breach and is working closely with BeyondTrust to investigate the incident and determine any potential impact on its customers. In a blog post, David Bradbury, Okta’s chief security officer, assured customers that they are taking the necessary steps to address the issue and enhance their security measures. He also encouraged customers to remain vigilant and follow best practices for securing their Okta accounts.
This incident serves as a reminder of the importance of robust security measures, including multifactor authentication, to protect sensitive information and prevent unauthorized access. Companies should continuously evaluate their security policies and implement necessary safeguards to mitigate the risk of such breaches. Okta’s swift detection and response demonstrate the effectiveness of MFA in thwarting unauthorized access attempts and safeguarding customer data.