Okta said a previously disclosed breach of its backend support case management system allowed attackers to access files relating to 134 of the identity and access management (IAM) provider’s customers.
Five of the affected customers — including Cloudflare, 1Password, and BeyondTrust — had their systems targeted as a result of the breach.
In a Nov. 3 blog post outlining the company’s response to the attack, Okta chief security officer David Bradbury said threat actors used a service account, which had permissions to view and update customer cases, to access the customer support system.
Amongst the files the threat actors accessed were HTTP Archive (HAR) files — used for logging a web browser's interaction with a website — that contained session tokens which could be used to carry out session hijacking attacks.
The threat actors used those session tokens to hijack the five targeted customers’ Okta sessions, Bradbury said.
The company’s investigation of the incident found the credentials of the service account were saved to an employee’s personal Google profile after they signed-in to the profile on their work laptop using Google Chrome.
“The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device,” Bradbury said.
According to a timeline provided by Bradbury, the threat actor was in Okta’s system from Sept. 28 to Oct. 17. Okta’s security team was first made aware of an issue, and began an investigation on Sept. 29 when 1Password reported suspicious activity to Okta Support.
It took the investigation team 14 days, however, to identify suspicious downloads in the company’s logs.
“When a user opens and views files attached to a support case, a specific log event type and ID is generated tied to that file,” Bradbury said.
“If a user instead navigates directly to the Files tab in the customer support system, as the threat actor did in this attack, they will instead generate an entirely different log event with a different record ID.”
The company’s investigation initially focused on finding unauthorized access to the cases. It wasn’t until Oct. 13, when BeyondTrust provided a suspicious IP address attributed to the threat actor, that the security team identified the Files tab access the attackers had achieved using the compromised account.
Okta had taken a range of remediation actions following the attack, Bradbury said. These included disabling the compromised service account, blocking the use of personal Google profiles when using Google Chrome on company laptops, enhancing monitoring of the customer support system, and binding administrator session tokens based on network location.
Cloudflare, 1Password, and BeyondTrust previously said they had not lost any customer data as a result of the breach. The identities of the other two organizations targeted using their session tokens have not been disclosed.
In a separate security incident last month, the data of 4,961 current and former Okta employees — including names, health insurance plan numbers, and Social Security numbers — were found to have been compromised following a breach at one of its third-party vendors, healthcare support service provider Rightway Healthcare.
