The breach of Okta’s case management system first reported late last week has evolved into a new phase as Cloudflare, 1Password, and BeyondTrust confirmed that hackers targeted their systems as a result of the breach.
Despite being the targets of threat actors, all three companies said no customer data was lost in any of the incidents.
In a blog post Oct. 20, BeyondTrust reported that on Oct. 2, its security teams detected an identity-centric attack on an in-house Okta administrator account. They said the incident was the result of Okta’s support system being compromised, which allowed an attacker to access sensitive files uploaded by their customers
“We then detected and remediated the attack through our own identity security tools, which resulted in no impact or exposure to our infrastructure or to any customers,” said the BeyondTrust researchers.
Cloudflare also posted a blog Oct. 20 saying threat actors were able to leverage an authentication token compromise at Okta and then “pivot” to Cloudflare’s Okta instance.
“While this was a troubling security incident, our Security Incident Response Team’s real-time detection and prompt response enabled containment and minimized the impact to Cloudflare’s systems and data,” said the Cloudflare researchers. “We have verified that no Cloudflare customer information or systems were impacted by this event.”
For its part, 1Password also put out a similar statement two days ago:
“We detected suspicious activity on our Okta instance related to their support system incident,” said Pedro Canahuati, chief technology officer at 1Password, in a blog post. “After a thorough investigation, we concluded that no 1Password user data was accessed.”
A breach can have a cascading effect, impacting not only Okta, but also its vast customer base, said Callie Guenther, senior manager, cyber threat research at Critical Start. Such incidents erode the trust users and companies place in service providers, especially for providers like Okta, where security is the primary selling point,” said Guenther.
“With the exposed data, attackers can launch secondary attacks, potentially targeting Okta's customers, or even their clients, escalating the breach's overall impact,” said Guenther. “In less than two years, Okta has faced multiple security incidents, raising significant concerns about its security posture and the implications for its global clientele. Given Okta's pivotal role in many organizations' security frameworks, these repeated incidents underscore the need for rigorous, ongoing security assessments, and proactive measures.”
John Bambenek, principal threat hunter at Netenrich, added that security teams have to make sure that any single-sign-on product they use really gets locked down.
“As a security leader, I tend not to take a single event as an indicator of trustworthiness,” said Bambenek. “However, when you keep seeing the same company in the news with security events, you start to ask some fundamental questions about whether you can rely on that organization for such a sensitive function, such as identity and authentication.”