Okta suffers data breach

Okta disclosed a security breach involving its support case management system, where threat actors stole authentication data, prompting concerns about future cyberattacks.

 Logo, Text
Credit: Okta

Okta, an American identity and access management company based in San Francisco, disclosed a security breach in which threat actors infiltrated its support case management system, compromising sensitive data that could be exploited in future cyberattacks. Specifically, the attackers stole authentication data, including cookies and session tokens, which could enable them to impersonate legitimate users for malicious purposes.

Okta issued a data breach notification explaining the situation, emphasizing the risk associated with stolen credentials and the potential abuse of HAR files containing sensitive data.

According to Okta’s advisory, the company’s security team detected malicious activity related to a stolen credential, which was used to access Okta’s support case management system. In this breach, the threat actors managed to access files uploaded by specific Okta customers as part of recent support cases.

Okta clarified that the compromised system is separate from its core production service, which remains unaffected by the incident. The Auth0/CIC case management system was also confirmed as unaffected, and Okta promptly informed all impacted customers.

In response to the breach, Okta worked closely with the affected customers to investigate the situation and implement protective measures. These actions included revoking embedded session tokens and recommendations for thoroughly sanitizing all credentials and cookies/session tokens within any HAR files shared with them. Additionally, the advisory provides a list of suspicious IP addresses for customers to monitor and potentially detect malicious activities.

The advisory concludes by advising customers to refer to previously published guidelines on how to search the System Log for any suspicious sessions, users, or IP addresses. Notably, most of the identified indicators are associated with commercial VPN nodes based on the provided enrichment information.

Notably, earlier in August, Okta issued warnings to customers about a series of social engineering attacks conducted by threat actors in an attempt to gain elevated administrator permissions. These attacks targeted IT service desk staff, aiming to trick them into resetting all multi-factor authentication (MFA) factors tied to highly privileged users. The company did not attribute these attacks to a specific threat actor.