Id and authentication administration supplier Okta mentioned hackers managed to view personal buyer data after getting access to credentials to its buyer assist administration system.
“The risk actor was capable of view recordsdata uploaded by sure Okta clients as a part of current assist circumstances,” Okta Chief Safety Officer David Bradbury said Friday. He prompt these recordsdata comprised HTTP archive, or HAR, recordsdata, which firm assist personnel use to duplicate buyer browser exercise throughout troubleshooting classes.
“HAR recordsdata may also include delicate information, together with cookies and session tokens, that malicious actors can use to impersonate legitimate customers,” Bradbury wrote. “Okta has labored with impacted clients to analyze, and has taken measures to guard our clients, together with the revocation of embedded session tokens. On the whole, Okta recommends sanitizing all credentials and cookies/session tokens inside a HAR file earlier than sharing it.”
Bradbury did not say how the hackers stole the credentials to Okta’s assist system. The CSO additionally did not say whether or not entry to the compromised assist system was protected by two-factor authentication, which finest practices name for.
Safety agency BeyondTrust mentioned it alerted Okta to suspicious exercise earlier this month after detecting an attacker utilizing a sound authentication cookie attempting to entry one among BeyondTrust’s in-house Okta administrator accounts. BeyondTrust’s entry coverage controls stopped the attacker’s “preliminary exercise, however limitations in Okta’s safety mannequin allowed them to carry out just a few confined actions,” the corporate mentioned with out elaborating. Ultimately, BeyondTrust was capable of block all entry.
Past Belief mentioned it notified Okta of the occasion however didn’t get a response for greater than two weeks. In a post, BeyondTrust officers wrote:
The preliminary incident response indicated a attainable compromise at Okta of both somebody on their assist workforce or somebody in place to entry buyer support-related information. We raised our considerations of a breach to Okta on October 2nd. Having acquired no acknowledgement from Okta of a attainable breach, we continued with escalations inside Okta till October nineteenth when Okta safety management notified us that they’d certainly skilled a breach and we had been one among their affected clients.
The incident timeline supplied by Past Belief was as follows:
- October 2, 2023 – Detected and remediated identification centric assault on an in-house Okta administrator account and alerted Okta
- October 3, 2023 – Requested Okta assist to escalate to Okta safety workforce given preliminary forensics pointing to a compromise inside Okta assist group
- October 11, 2023 and October 13, 2023 – Held Zoom classes with Okta safety workforce to clarify why we believed they could be compromised
- October 19, 2023 – Okta safety management confirmed they’d an inside breach, and BeyondTrust was one among their affected clients.
Okta has skilled a number of safety or information breaches lately. In March 2022, circulated pictures confirmed {that a} hacking outfit generally known as Lapsus$ purportedly gained entry to an Okta administration panel, permitting it to reset passwords and multifactor authentication credentials for Okta clients. The corporate mentioned the breach occurred after the hackers compromised a system belonging to one among its subprocessors.
In December 2022, hackers stole Okta source code saved in an organization account on GitHub.
Bradbury mentioned Okta has notified all clients whose information was accessed within the current occasion. Friday’s put up incorporates IP addresses and browser person brokers utilized by the risk actors that others can use to point if they’ve additionally been affected. The compromised assist administration system is separate from Okta’s manufacturing service and Auth0/CIC case administration system, neither of which was impacted.