Okta, a leading identity and authentication management provider, has disclosed that the recent breach of its support case management system impacted 134 out of its 18,400 customers. The unauthorized intruder gained access to Okta's systems between September 28 and October 17, 2023, with the breach resulting in the exposure of HAR files containing session tokens that could potentially be used for session hijacking attacks.
According to David Bradbury, Okta's Chief Security Officer, the threat actor successfully used these session tokens to hijack the legitimate Okta sessions of five customers. Among the affected customers were 1Password, BeyondTrust, and Cloudflare, with 1Password being the first to report suspicious activity on September 29, followed by two other unnamed customers on October 12 and October 18.
The security event was officially disclosed by Okta on October 20, revealing that the threat actor leveraged access to a stolen credential to breach Okta's support case management system. Further investigation uncovered that the access to Okta's customer support system was abused through a service account stored within the system itself, granting privileges to view and update customer support cases.
It was discovered that the username and password for this service account had been saved to an employee's personal Google account, and the employee had signed into their personal account using the Chrome web browser on their Okta-managed laptop.
Okta has taken several measures in response to the breach, including revoking the session tokens found in the HAR files shared by affected customers and disabling the compromised service account. The company has also blocked the use of personal Google profiles on enterprise versions of Google Chrome, preventing employees from signing into their personal accounts on Okta-managed laptops.
Additionally, Okta has introduced session token binding based on network location as a product enhancement to enhance security. This forces Okta administrators to re-authenticate in case of a network change and can be enabled by customers in the early access section of the Okta admin portal. Lorri Janssen-Anessi, Director, External Cyber Assessments at BlueVoyant, weighed in on the incident and what other organizations can learn from it:
“The recently reported breach involving a third-party vendor at Okta once again underscores the critical importance of organizations diligently monitoring their digital supply chain, which is made up of the vendors, suppliers, and other third parties that have network access. Okta, which has previously faced scrutiny over other reported breaches, stated that only employee and not customer data was compromised in this incident. However, the repercussions can extend beyond this initial breach. The exposed employee information can make them susceptible to targeted phishing and impersonation scams, potentially leading to data or monetary theft. Even worse, these scams might be leveraged to obtain the employees’ credentials, enabling further damage to the company.
It is imperative for organizations to comprehensively identify all third-party entities they depend on for their operations, not just those pertaining to customer data. Subsequently, they should assess which of these entities have access to sensitive data and whether such access is warranted. Continuous monitoring of third-party vendors for vulnerabilities and a proactive approach to remediation should be integral parts of an organization’s cybersecurity strategy.”
This security incident follows Okta's previous revelation that personal information of 4,961 current and former employees was exposed in a breach of its healthcare coverage vendor, Rightway Healthcare, on September 23, 2023, including names, Social Security numbers, and health or medical insurance plans.