November 3, 2023 at 10:24AM
Okta recently revealed that attackers who breached their customer support system gained access to files belonging to 134 customers. Of those customers, five were targets of session hijacking attacks using stolen session tokens. Three of the affected customers, 1Password, BeyondTrust, and Cloudflare, reported the unauthorized activity after detecting login attempts on Okta administrator accounts. The breach occurred due to threat actors using support service account credentials stolen from an employee’s personal Google account. Okta has taken steps to prevent similar incidents in the future. Additionally, Okta recently suffered other breaches, including one in which the personal information of nearly 5,000 employees was exposed due to a breach at the healthcare coverage provider Rightway Healthcare.
Key takeaways from the meeting notes:
1. In a recent breach, attackers gained unauthorized access to Okta’s customer support system and obtained files belonging to 134 customers. Out of the affected customers, 5 were later targeted in session hijacking attacks using stolen session tokens.
2. The breach occurred between September 28, 2023, and October 17, 2023, affecting less than 1% of Okta customers.
3. Okta revealed that some of the stolen files contained HAR files with session tokens, which were used for session hijacking attacks. Three of the affected customers (1Password, BeyondTrust, and Cloudflare) have already reported suspicious activity and unauthorized login attempts.
4. It took Okta over two weeks to officially confirm the breach in their support system after being alerted about session hijacking attempts on September 29. Multiple meetings were held with the affected customers during this period.
5. The threat actors gained access to Okta’s support system by using credentials for a support service account that were stolen from an employee’s personal Google account. The compromise of the employee’s personal Google account or device is suspected as the most likely avenue for exposure of the credential.
6. Okta has implemented several measures in response to the breach to prevent similar incidents in the future. These measures include disabling the compromised service account, blocking the use of personal Google profiles with Google Chrome on Okta-managed devices, enhancing detection and monitoring rules for the customer support system, and binding Okta administrator session tokens based on network location.
7. In addition to this recent breach, Okta has experienced other breaches in the past two years due to credential theft and social engineering attacks. One breach involved hackers accessing confidential source code information stored in private GitHub repositories, affecting approximately 2.5% of Okta’s customer base. Another incident resulted in the theft of source code repositories from Okta subsidiary Auth0 by unknown attackers using an unknown method.
8. Okta also notified nearly 5,000 current and former employees that their personal information was exposed in a breach of its healthcare coverage provider, Rightway Healthcare, on September 23. The exposed information includes employees’ full names, social security numbers (SSNs), and Health or Medical Insurance plan numbers.