November 29, 2023 at 08:32AM
Okta’s customer support system was breached, affecting all support system users and exposing names, emails, and other details. Less than 1% of customers had session tokens stolen. Okta advises all users, especially unsecured admins, to implement multi-factor authentication and increase vigilance against phishing. No credentials were exposed. Previous attacks included source code and laptop compromises.
Meeting Takeaways:
1. Breach Summary:
– Okta’s Help Center environment was breached last month, compromising data from all customer support system users.
– Hackers accessed reports and support cases, including contact information for all Okta certified users.
– In November, an unauthorized file access in Okta’s customer support system was reported with initial evidence suggesting a limited breach.
– The breach included HAR files with cookies and session tokens for 134 customers, which is under 1% of Okta’s customer base.
2. Impact Scope:
– Exposed data involves a report with names, emails, and various other details of all Okta customer support system users.
– 99.6% of affected users had only their full name and email address exposed.
– No credentials were leaked in the breach.
– 6% of exposed users are administrators who did not have multi-factor authentication (MFA) enabled.
– There was also access to Okta certified user data, some Okta CIC customer contacts, and employee details, but no user credentials or sensitive personal data.
3. Security Enhancements Suggested:
– Okta recommends implementing MFA for admin access, especially phishing-resistant methods.
– Enabling session binding to require re-authentication for admin sessions from new IP addresses is suggested.
– Setting admin session timeouts is recommended, with a 12-hour maximum and a 15-minute idle time.
– Increasing phishing awareness and reinforcing IT Help Desk verification processes is advised.
4. Previous Security Incidents:
– Over the past two years, Okta has faced credential theft and social engineering attacks, including a source code breach from GitHub repositories in December.
– In January 2022, a support engineer’s laptop was compromised, impacting about 375 customers (2.5% of clients), with the Lapsus$ group claiming the attack and demonstrating superuser/admin access.
5. Potential Threats:
– The information accessed may enable threat actors to conduct phishing or social engineering attacks aimed at collecting additional information for more sophisticated attacks.
6. Exclusion:
– Customers in FedRamp High and DoD IL4 environments are not affected as they use a separate support system. The Auth0/CIC support case management system was also not compromised.