Okta, a leading provider of identity services, revealed a recent security incident affecting its support case management system. Unidentified threat actors exploited compromised credentials to gain access, allowing them to view sensitive files uploaded by certain customers.
David Bradbury, Okta’s Chief Security Officer, stated, “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.” He reassured stakeholders that the incident did not impact the core Okta service, which remains fully operational. The company also confirmed that its Auth0/CIC case management system was unaffected, and directly informed impacted customers.
This breach raises concerns because the customer support system allows for the upload of HTTP Archive (HAR) files, which can contain sensitive data, including cookies and session tokens. Such information could be exploited by malicious actors to impersonate legitimate users. Okta took corrective measures, working with affected customers to revoke embedded session tokens and mitigate potential abuse.
While Okta has not disclosed the full scale or timeline of the attack, it is known that the company serves over 17,000 customers and manages around 50 billion users as of March 2023. Notably, two companies, BeyondTrust and Cloudflare, confirmed they were targeted in this incident. Cloudflare reported that a session token from a support ticket created by one of its employees was hijacked, which allowed the attacker to access its systems on October 18.
Cloudflare characterized the event as sophisticated, mentioning that the threat actor compromised two separate accounts within the Okta platform. Despite this, the company confirmed that no customer data or systems were accessed as a result of the attack.
BeyondTrust notified Okta of the incident after detecting suspicious activity shortly after submitting a HAR file on October 2, aiming to resolve a support issue. Fortunately, it reported that the attempted attacks were thwarted through its own identity security tools, resulting in no impact to its infrastructure or customers.
This latest breach adds to the series of security challenges Okta has faced in recent years, as its single sign-on (SSO) services are widely utilized by many large enterprises. The risk to high-value targets, such as Okta, has escalated, making it a prime focus for hacking groups.
In an update provided to The Hacker News, Okta clarified that the breach affected only around 1% of its 18,400 customers. The incident underscores the prevailing risks associated with data management systems and emphasizes the need for stringent security measures.
The tactics likely utilized in this attack can be examined through the lens of the MITRE ATT&CK Matrix. Initial access may have been achieved through credential exploitation, while persistence could involve maintaining access through compromised session tokens. These insights serve to highlight vulnerabilities that organizations should address in their cybersecurity strategies.
