Okta, a renowned identity and access management vendor, recently disclosed a breach in its support case management system, where a threat actor accessed customer files using stolen credentials. The Chief Security Officer (CSO) of Okta, David Bradbury, confirmed in a blog post that the attacker gained unauthorized access to recent customer support case HTTP Archive (HAR) files, which contained session tokens that could be used to impersonate valid users.
Bradbury stressed that the breach only affected the support case management system and not the production Okta service, which remained uncompromised. Okta has notified all affected customers and has taken steps to address the issue. They have revoked embedded session tokens and have reevaluated the handling of HAR files. Bradbury also recommended sanitizing all credentials and cookies/session tokens before sharing HAR files.
While Okta has confirmed the use of stolen credentials in the attack, they have not disclosed how or when these credentials were acquired. The scope of the attack remains unknown, with Bradbury only stating that “certain Okta customers” were affected. Additional information sought by TechTarget Editorial from Okta was not provided by the vendor.
However, two separate disclosures from customers BeyondTrust and Cloudflare shed more light on the breach. BeyondTrust detected threat activity earlier this month and alerted Okta, but claimed that the response from Okta was slow. BeyondTrust persisted with escalations until October 19th, when Okta security leadership confirmed the breach. Despite concerns about Okta’s response, BeyondTrust applauded the vendor for its transparency in reporting the breach.
BeyondTrust also provided details about the attack. An Okta administrator from BeyondTrust uploaded a HAR file to Okta support on October 2nd to address a troubleshooting issue. Within 30 minutes of the upload, malicious activity was detected from an IP address in Malaysia, which did not align with the user’s location. BeyondTrust’s security policies prevented further access, and they promptly contacted Okta to initiate an investigation. The investigation did not find any evidence of compromise, but it did reveal the existence of the HAR file generated for the support case.
Cloudflare, another customer of Okta, discovered an attack on their systems that traced back to Okta. Attackers hijacked a session token from a support ticket submitted by a Cloudflare employee and used it to access Cloudflare’s systems. The attack involved compromising two employee accounts within the Okta platform. However, Cloudflare’s rapid response prevented any harm to their customers. Cloudflare also expressed concerns about Okta’s disclosure process, as they detected the activity internally more than 24 hours before being notified by Okta.
This is not the first time Okta has faced a breach. Similar incidents involving stolen credentials were reported last month, and there was another breach in 2022. Okta, Cloudflare, and BeyondTrust have provided mitigation recommendations to address the current breach. Okta has released indicators of compromise for customers to perform threat-hunting activities, while Cloudflare urged Okta to take reports of compromise seriously and provide timely disclosures to affected customers. It is also important for Okta customers to review session expiration policies and enable hardware multi-factor authentication (MFA) for all accounts.
In conclusion, Okta has disclosed a breach in its support case management system, where a threat actor gained unauthorized access using stolen credentials. The scope and timeline of the attack remain unknown, but additional information provided by customers BeyondTrust and Cloudflare shed more light on the incident. Okta and its customers are taking necessary steps to mitigate the breach and improve security measures.