Search This Blog

Powered by Blogger.

Blog Archive

Labels

Okta: October Data Breach Impacts All User Across Customer Support Systems

Over the previous two years, Okta has been the victim of credential theft and social engineering attacks.

Okta

The latest investigation

Okta’s recent investigation into the exploit of its Help Center environment in October disclosed that the threat actors stole the data that belonged to all customer support system users. Okta mentioned that the hackers also stole extra reports and support cases with contact info for all contact of all certified Okta users. 

“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident,” mentioned Okta

Hackers gain unauthorized access

Early in November, the company announced that a threat actor had obtained unauthorized access to files within its customer support system, indicating a small data breach. 

Based on facts revealed at the time, the hacker acquired HAR files containing cookies and session tokens for 134 clients - fewer than 1% of the company's customers - which might be used to disrupt legitimate users' Okta sessions.

Let us take a deep dive into the incident 

A deeper look into the incident found that the threat actor also "downloaded a report that contained the names and email addresses of all Okta customer support system users."

Okta, on the other hand, adds that the only contact information accessible for 99.6% of the users identified in the study was their full name and email address. Okta ensured that no credentials had been compromised.

According to Okta's announcement, most exposed users are administrators, and 6% have not enabled multi-factor authentication security against fraud login attempts.

According to Okta, the hackers also obtained data from "Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts" and Okta personnel information.

A lot of the time, names and email addresses are sufficient for a hacker to carry out phishing or social engineering scams that may act as espionage or help them collect more information to construct a more sophisticated attack.

Okta recommends the following measures to protect against potential attacks:

  • Implement multi-factor authentication (MFA) for admin access, preferably utilizing phishing-resistant technologies such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
  • Configure admin session binding to make new IP addresses require re-authentication for admin sessions.
  • As per NIST recommendations, set up admin session timeouts to a limit of 12 hours with a 15-minute idle time.
  • Raise phishing awareness by being alert to phishing efforts and reinforcing IT Help Desk verification processes, particularly for high-risk behaviors.

“We also identified additional reports and support cases that the threat actor accessed, which contain the contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data,” wrote Okta in a statement. 

Over the previous two years, Okta has been the victim of credential theft and social engineering attacks, with attackers gaining access to source code from the company's private GitHub repositories last December.


Share it:

Cyber Security

data security

Login Security

Okta

User Security