November 4, 2023 at 12:30PM
Okta attributes the recent hack of its support system to an employee who logged into a personal Google account on a company-managed laptop. The breach resulted in the theft of data from multiple Okta customers. The employee’s personal Google account credentials, including session tokens, were compromised, allowing the threat actor to hijack legitimate Okta sessions. Okta admits to a failure of internal controls in detecting the breach. This is not the first time Okta has experienced such attacks, as it has been targeted by multiple hacking groups in the past.
The meeting notes highlight that Okta is attributing the recent hack of its support system to an employee who logged into a personal Google account on a company-managed laptop. By doing so, the employee inadvertently exposed credentials that were then used to steal data from multiple Okta customers, including BeyondTrust and Cloudflare. Between September 28 and October 17, a threat actor gained unauthorized access to files within Okta’s customer support system associated with 134 Okta customers, which represents less than 1% of their customer base. The compromised files included HAR files that contained session tokens, which were subsequently utilized to carry out session hijacking attacks on five Okta customers. The breach was facilitated by the compromise of an employee’s personal Google account or personal device, as the employee had saved the service account’s username and password into their personal Google account. Okta acknowledged a failure of internal controls in identifying the breach during the initial 14-day investigation period. The breach was eventually detected when BeyondTrust shared a suspicious IP address associated with the threat actor. Okta has been targeted by multiple hacking groups in the past, with attacks ranging from attempts to convince IT service desk personnel to reset multi-factor authentication to financially motivated cybercrime campaigns.