Okta, a leading identity management service provider, has issued a warning for the second time in just over a month about credential-stuffing attacks targeting its Customer Identity Cloud (CIC) authentication offering. These attacks, which involve adversaries using large lists of usernames and passwords obtained from previous data breaches, phishing, or malware campaigns, were observed on the cross-origin authentication feature of the CIC starting on April 15.
This recent warning follows a similar alert issued by Okta last month regarding a surge in credential-stuffing attacks against its service. The previous attacks were largely carried out through anonymizing devices like Tor or various residential proxies such as NSOCKS, Luminati, and Datalmpulse.
In response to the attacks, Okta has proactively notified customers with the cross-origin authentication feature enabled and provided detailed guidance on mitigation and prevention strategies. The company has advised customers to monitor their tenant logs for specific events indicating a potential attack, such as failed cross-origin authentication (FCOA), successful cross-origin authentication (SCOA), or attempts to log in with leaked passwords (pwd_leak).
Customers using Okta’s CORS feature should pay close attention to these events in their logs to determine if they have been targeted. Even if a tenant does not use cross-origin authentication, the presence of SCOA or FCOA events in the logs could still indicate a potential attack.
To bolster defenses against credential-stuffing attacks, Okta has recommended several long-term strategies for customers. These include enrolling users in passwordless, phishing-resistant authentication methods and implementing passkeys as a secure option. For organizations still using passwords, Okta advises setting password requirements of at least 12 characters and disallowing parts of the username. Additionally, implementing multifactor authentication (MFA) can significantly reduce the risk of successful credential-stuffing attacks.
Okta has also suggested that tenants not using the cross-origin authentication feature can disable endpoints to eliminate the attack vector entirely. Furthermore, in the event of a credential-stuffing attack, affected users should immediately change compromised passwords to prevent further unauthorized access.
Credential-stuffing attacks have become a growing concern for organizations across various industries, including high-profile companies like 23andMe, Roku, and Hot Topic. By following Okta’s guidance on long-term defense strategies and proactive monitoring of authentication events, organizations can enhance their security posture and better protect against these types of attacks.