Identity and authentication management provider Okta has reported a security breach affecting 134 of its 18,400 customers, following a compromise of its support case management system. The breach occurred between September 28 and October 17, 2023. During this period, an unauthorized actor accessed sensitive HAR files that contained session tokens, which can be exploited for session hijacking attacks.
According to Okta’s Chief Security Officer, David Bradbury, the breach permitted the attacker to hijack legitimate sessions belonging to five of its customers. Notably, companies like 1Password, BeyondTrust, and Cloudflare were affected. The incident first came to light when 1Password detected suspicious activity on September 29, with two other unidentified customers reported compromised by October 12 and 18.
Okta formally disclosed the security incident on October 20, explaining that the intruder gained access through a stolen credential tied to Okta’s support case management system. The investigation indicated that the attacker exploited a service account’s privileges, which allowed them to view and modify customer support cases. Alarmingly, the credentials for this service account had been stored on an employee’s personal Google account, with the worker inadvertently signing into this account on a managed device.
Bradbury stated that the most likely exploitation vector for the captured credentials was through the compromise of the employee’s personal Google account or device. In response to the breach, Okta has invalidated the session tokens in the affected HAR files and disabled the compromised service account to prevent further unauthorized access.
To bolster security, Okta has taken significant measures, including disabling the use of personal Google accounts on corporate devices. This update aims to prevent similar incidents in the future, particularly focusing on the risk posed by unsanctioned personal applications. Additionally, Okta has introduced session token binding based on network location, requiring re-authentication if a network change is detected. This enhancement is designed to mitigate risks associated with session token theft, particularly for administrators.
These developments follow another security incident disclosed by Okta, wherein personal data belonging to nearly 5,000 employees was exposed after a breach at Rightway Healthcare, a vendor for health coverage. The compromised data included sensitive information such as names and Social Security numbers, raising concerns about the security of personally identifiable information across interconnected platforms.
The attack on Okta can potentially be mapped against various tactics outlined in the MITRE ATT&CK framework, including initial access through stolen credentials, privilege escalation via service accounts, and lateral movement within the corporate network utilizing hijacked sessions. Business owners and cybersecurity professionals should remain vigilant, considering this incident as a reminder of the ever-present vulnerabilities associated with identity management systems and the importance of robust credential management practices.
