Attackers target Okta and abuse stolen credential to access backend system

Attackers leverage stolen credential to access Okta’s support case management system

Okta reported that on October 20 an attacker leveraged a stolen credential to access its backend support case management system. While the identity and access management firm is downplaying the impact of the breach, experts suggest that the breach may have exposed sensitive customer data.

This was not the first time the identity and access management (IAM) provider reported a breach. The last one was in March of 2022 when the Lapsus$ extortion group reported on Telegram that it had breached Okta.

David Bradbury, chief security officer at Okta, said in an advisory that while the threat actor was able to view files uploaded by certain Okta customers as part of recent support cases, he noted that the Okta support case management system is separate from the production Okta service, which is fully operational and had not been impacted.

"All customers who were impacted by this have been notified," wrote Bradbury. "If you're an Okta customer and you have not been contacted with another message or method, there's no impact to your Okta environment or your support tickets." Bradbury did not indicate how many customers had been notified.

While Okta downplayed the incident, Ted Miracco, chief executive officer at Approov, said it’s not altogether reassuring that the breach was limited to Okta's support management system, as that system likely contains valuable information related to customer support cases, including files uploaded by customers.

Miracco said if attackers were able to access and view these files, they may have gained access to sensitive data such as customer credentials, personally identifiable information , or confidential documents. 

“The attackers could also attempt to use these credentials to escalate their access privileges, gain entry to other systems or services, or launch targeted attacks against Okta customers,” said Miracco. “This incident highlights the fact that while user authorization is a fundamental aspect of access control, relying solely on it can leave systems vulnerable. Incorporating technologies like multi-factor-authentication, and mobile device or app attestation can add extra layers of security to APIs, making it much harder for attackers to gain unauthorized access.”

Tim Davis, vice president of solution consulting at DoControl, said it’s very common for ticketing support systems to run as Software as a Service (SaaS) applications. SaaS offers ease of access (anyone with an internet connection can access a SaaS platform) and the built-in data sharing capabilities for purposes of collaboration and productivity. However, Davis said these productivity gains in user and data access come at a cost in security, a cost that is still not well understood by most organizations.

“SaaS platforms are typically not incentivized to secure the data stored within them or monitor who has access to it, since SaaS vendors want to enable and encourage collaboration,” said Davis.  “It’s the responsibility of the organization to secure their data (and their customer's data) that is stored in SaaS applications. This security must include not only user access controls like SSO and MFA, but data access controls and visibility. Finally, it should include methods of detection for when valid user credentials have been compromised – such as behavioral analytics and data access thresholds.”

IAM growing in importance

Any breach of Okta is significant, as the vast majority of companies now focus on identity and access management (IAM) as a ways to secure their systems, according to a study by CyberRisk Alliance.

Research and analytics group 6sense reports that Okta has become the leading identity and access management (IAM) provider with a 44.97% market share and 11,950 customers. Major customers Okta serves with more than 10,000 employees include YouTube, Hearst Corp., and the District of Columbia.

In its advisory, Okta’s Bradbury said the company’s support group will ask customers to upload an HTTP Archive (HAR) file, which will let them troubleshoot issues by replicating browser activity. Bradbury said HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.

“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” said Bradbury. “In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.