Okta discloses a data breach.
By Tim Nodar, CyberWire senior staff writer
Oct 23, 2023

Some customers were affected by a compromise of the customer case system.

Okta discloses a data breach.

Identity and access management company Okta has disclosed a data breach affecting some of the company’s customers. 

Data exposure found in support case management system.

The company stated, “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.”

BeyondTrust, which discovered the breach, stated, “The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers. The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system. Custom policy controls blocked the attacker's initial activity, but limitations in Okta's security model allowed them to perform a few confined actions.” 

KrebsOnSecurity notes that “it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.”

Lessons in password management and multifactor authentication.

Rahul Pawar, Global Vice President, Security GTM & CTO, GSS at Commvault, commented:

“The breach of Okta's support system is a reminder of the importance of strong password management and multi-factor authentication (MFA). It’s yet another example of how a multi-layered cybersecurity and cyber resilience program can protect organizations from cyberattacks and reduce the risk of compromise – ultimately protecting their data and users.

“Organizations that use Okta should take the necessary steps to protect themselves from this breach, including requiring all users to use strong passwords and MFA, enabling MFA on all Okta accounts (including administrative accounts), monitoring Okta logs for suspicious activity, and implementing a zero-trust security model to reduce the risk of compromise, even if an attacker gains access to a user's credentials.

“Organizations should also consider rotating all Okta credentials, changing the passwords for all other accounts that are linked to Okta accounts, such as email accounts and cloud storage accounts, and implementing security awareness training for all employees to help them identify and avoid phishing attacks.

“It is important to note that Okta has stated that there is no evidence that this breach has affected customer data. However, organizations should still take the necessary steps to protect themselves from potential harm.”

The expansive attack surface interconnected systems present.

(Added, October 24th, 2023, 10:00 PM ET.) 1Password blogged about its discovery of unusual activity in one of its Okta-provided accounts at the end of September. "Corroborating with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization. Based on our initial assessment, we have no evidence that proves the actor accessed any systems outside of Okta. The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack." Thus the activity was preparatory in nature, and stopped before it proceeded beyond that point.

Ken Westin, Field CISO, Panther Labs, commented on the significance of the attackers' attempt on 1Password."Okta is a prime target for attackers and by compromising their systems," Westin wrote. "They seek to gain access to their customer’s infrastructure and data. The pivot to 1Password should be a wake-up call for organizations to ensure they are monitoring Okta logs, as well as other identity and password applications."

Okta was compromised via its customer support system. Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ, wrote, "Okta provides identity management to 50 billion users, allowing employees to securely access their company’s internal systems. The hackers used stolen credentials to access contained browser recording files containing website cookies and session tokens. These tokens can be used to break into the networks of Okta’s customers." 

Costis added, "While it is important to evaluate existing security controls to uncover any gaps hackers might exploit, a more resilient security detection and prevention system is critical for organizations that manage sensitive information. This preventative cybersecurity approach includes developing a threat-informed cyber defense strategy. By identifying the common tactics, techniques and procedures (TTPs) used by common threat actors, companies can align their defenses against these specific threats, testing to see how the program responds. This will provide visibility and insight for any future ransomware attacks."

Javed Hasan, CEO and co-founder of Lineaje, says that 1Password's having been touched by the incident "highlights the interconnectedness of software supply chains and the potential security risks associated with relying on third-party services." The incident "underscores the critical importance of combining proactive security measures and thorough vetting of third-party providers." And the Okta incident suggests lessons that any organization might learn to its profit. "This incident also serves as a stark reminder during National Cybersecurity Awareness Month, for organizations to implement CISA’s four steps to keep you cyber safe including multifactor authentication, regularly update and patch software, and maintain a vigilant stance when it comes to monitoring their digital infrastructure. As cyber threats continue to evolve, a comprehensive approach to cybersecurity that encompasses not only internal defenses but also a keen eye on external dependencies is essential to safeguarding sensitive data and maintaining the trust of users and clients."

Reviewing Okta's response.

(Added 3:45 PM ET, October 27th, 2023.) Geoff Mattson, CEO of Xage Security, thinks Okta hasn't done a bad job at all in handling the incident. He also thinks that zero-trust practices have limited the damage. "Okta’s response to its recent data breach is commendable, given its swift and responsible disclosure. Okta provided a high level of transparency from the beginning, which is not always the case in the business world. This transparency is a reassuring sign that the company takes the security and trust of its users seriously," he wrote in emailed comments. "Despite the potential for damage, the impact of this breach, from what has been disclosed thus far, has been relatively limited. The reason behind this limited impact is the industry's gradual adoption of robust access management practices rooted in the zero trust model. Thanks to zero trust, we have yet to reach the levels of damage that this breach would have caused even a few years ago. The zero trust model, emphasizing strong authentication, continuous monitoring, and least privilege access, is proving to be an effective strategy in containing and mitigating breaches. As organizations continue to adapt and enhance their cybersecurity strategies, the lessons learned from Okta's breach underscore the importance of embracing a zero trust mindset. By doing so, businesses can better protect their data, maintain the trust of their customers, and stay one step ahead of cyber threats in an increasingly complex digital landscape.”