HQ/EMEAFind out how we can help your business
A recent cybersecurity breach in the customer support system in Okta has affected about 134 customers.
Based on reports, the attackers have acquired unauthorised access to files owned by the customers. Last month, Okta revealed that the breach compromised its support case management system, resulting in the heist of authentication data, such as cookies and session tokens.
These attackers could exploit the stolen details in future attacks to impersonate legitimate users. Specifically, the attackers accessed HTTP Archive (HAR) files that customers had uploaded to Okta’s support system, containing sensitive information, including authentication details.
Okta said that the attack exploited stolen credentials to breach their systems.
According to the official advisory disseminated by the company, their security team spotted a malicious activity that exploited stolen credentials to access their support case management system. The attackers targeted archives uploaded by specific Okta customers as part of their recent support cases. Notably, the three affected customers who shared information about the incident were Cloudflare, 1Password, and BeyondTrust.
The attackers accessed Okta’s customer support system by leveraging a service account stored within it. This tactic granted them permission to view and modify support cases. The company’s investigation determined that an employee had unintentionally saved the service account’s username and password in their personal Google account while using the Chrome browser on an Okta-managed laptop. The most probable scenario for exposing these credentials was compromising the employee’s personal Google account or device.
In response to the breach, the company took several measures, including deactivating the compromised service account and prohibiting the use of personal Google profiles with Google Chrome on Okta-managed devices. Additionally, the company implemented enhanced detection and monitoring rules for the customer support system and binding Okta administrator session tokens to specific network locations.
Okta recently notified 5,000 employees that the data breach incident exposed their personal information, including the third-party vendor Rightway Healthcare. Before this incident, Okta had also alerted its customers in September about a social engineering campaign that targeted their IT service desk staff.
The campaign attempted to deceive the employees into resetting multi-factor authentication (MFA) factors for highly privileged users. However, the company did not attribute this attack to a specific threat actor.
The potentially affected employees and customers should be more vigilant in their cyberspace presence. Okta employees should be careful of phishing campaigns, as the threat actors could use the stolen credentials to execute such attacks.
