The Okta security incident: assessments.
By Tim Nodar, CyberWire senior staff writer
Nov 6, 2023

Okta's breach and Okta's response.

The Okta security incident: assessments.

Identity and access management provider Okta has provided additional details on the breach it sustained from September 28th to October 17th. The company disclosed that “a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.” The threat actor obtained “HAR files that contained session tokens which could in turn be used for session hijacking attacks,” and used these tokens to hijack the Okta sessions of five customers. Three of these customers–1Password, BeyondTrust, and Cloudflare–have disclosed that they were affected.

Okta continued, “The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases. During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

Okta has been criticized for its response to the breach.

Okta is facing criticism for its handling of the incident, Ars Technica reports. Cloudflare, one of the impacted Okta customers, noted, “Okta was first notified on October 2, 2023 by BeyondTrust but the attacker still had access to their support systems at least until October 18, 2023.” 

Okta Chief Security Officer David Bradbury told the Record, “We met repeatedly with 1Password and BeyondTrust during that 14 day period to try to identify the compromise in partnership with them. Ultimately it took all of us that amount of time to investigate as their initial findings only got us so far in the investigation.”

The risk of the apparently innocuous.

Anurag Gurtu, Chief Product Officer at StrikeReady, wrote, in emailed comments:

“The recent security breach at Okta serves as a stark reminder of the potential vulnerabilities that can arise from seemingly innocuous practices, like using personal accounts on company devices. This incident underscores the critical need for organizations to reinforce their cybersecurity policies and ensure that employees are fully aware of the risks associated with mixing personal and professional digital activities.

“It's also a call to action for companies to continuously monitor and manage access privileges, and to deploy multi-layered security measures that can detect and mitigate unauthorized access promptly. Effective cybersecurity is not just about having the right tools; it's about instilling the right discipline and awareness at every level of the organization. As we assist our clients in navigating their cybersecurity landscape, incidents like these are invaluable learning opportunities to fortify their defenses and prepare for the inevitability of human error.”

(Added, 7:00 PM ET, November 6th, 2023.) Lorri Janssen-Anessi, Director, External Cyber Assessments at BlueVoyant, sees the incident as a reminder of the importance of staying aware of supply chain risks. “The recently reported breach involving a third-party vendor at Okta once again underscores the critical importance of organizations diligently monitoring their digital supply chain, which is made up of the vendors, suppliers, and other third parties that have network access. Okta, which has previously faced scrutiny over other reported breaches, stated that only employee and not customer data was compromised in this incident. However, the repercussions can extend beyond this initial breach. The exposed employee information can make them susceptible to targeted phishing and impersonation scams, potentially leading to data or monetary theft. Even worse, these scams might be leveraged to obtain the employees’ credentials, enabling further damage to the company," she wrote. "It is imperative for organizations to comprehensively identify all third-party entities they depend on for their operations, not just those pertaining to customer data. Subsequently, they should assess which of these entities have access to sensitive data and whether such access is warranted. Continuous monitoring of third-party vendors for vulnerabilities and a proactive approach to remediation should be integral parts of an organization’s cybersecurity strategy.”