Penka Hristovska
Published on: November 21, 2023
Identity and authentication management provider Okta has released more details about its October breach.
In an official report, the company confirmed much of what was already known about the attack, including that the cybercriminals gained unauthorized access to Okta’s customer support system between Sept. 28 and Oct. 17.
The company said the recent support case management system breach affected 134 of its 18,400 customers, which amounts to “less than 1 percent of Okta customers.” It explained the cybercriminals accessed HAR (HTTP Archive) files containing session tokens (cached web session data and cookies) that can be used to impersonate valid users and hijack legitimate sessions, which appears to be what the attackers attempted to do.
The attackers then accessed the session of five Okta customers, including 1Password, BeyondTrust, and Cloudflare, with 1Password being the first company to report suspicious activity on Sept. 29. The company said at the time that the system was broken into by a malicious user who had admin privileges and that they tried to steal data on other 1P administrators, update an existing identity provider, and gain access to Okta’s IP dashboard.
Two other unnamed Okta customers were subsequently identified as being part of the breach on Oct. 12 and Oct. 18. As to how the cybercriminals gained access to Okta’s systems in the first place, the source appears to be an Okta-managed laptop belonging to an employee at the company.
“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Okta chief security officer David Bradbury said. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device,”
Okta has since removed the session tokens contained in the HAR files and deactivated the service account that was compromised.
The company is separately grappling with another breach at a third-party vendor, Rightway Healthcare, that took place earlier this month. The attacker accessed 5,000 health-related records of Okta employees and their families, including Social Security numbers and insurance plan data.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- Source: https://www.safetydetectives.com/news/okta-security-breach-impacted-134-clients/
