Okta says hackers breached its support system and viewed customer files

A cartoon man runs across a white field of ones and zeroes.

Identity and authentication management provider Okta said hackers managed to view private customer information after gaining access to credentials to its customer support management system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Okta Chief Security Officer David Bradbury said Friday. He suggested those files comprised HTTP archive, or HAR, files, which company support personnel use to replicate customer browser activity during troubleshooting sessions.

“HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users,” Bradbury wrote. “Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

Bradbury didn’t say how the hackers stole the credentials to Okta’s support system. The CSO also didn’t say whether access to the compromised support system was protected by two-factor authentication, which best practices call for.

Security firm BeyondTrust said it alerted Okta to suspicious activity earlier this month after detecting an attacker using a valid authentication cookie trying to access one of BeyondTrust’s in-house Okta administrator accounts. BeyondTrust’s access policy controls stopped the attacker’s “initial activity, but limitations in Okta’s security model allowed them to perform a few confined actions,” the company said without elaborating. Eventually, BeyondTrust was able to block all access.

Beyond Trust said it notified Okta of the event but didn’t get a response for more than two weeks. In a post, BeyondTrust officials wrote:

The initial incident response indicated a possible compromise at Okta of either someone on their support team or someone in position to access customer support-related data. We raised our concerns of a breach to Okta on October 2nd. Having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta until October 19th when Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers.

The incident timeline provided by Beyond Trust was as follows:

  • October 2, 2023 – Detected and remediated identity centric attack on an in-house Okta administrator account and alerted Okta
  • October 3, 2023 – Asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within Okta support organization
  • October 11, 2023 and October 13, 2023 – Held Zoom sessions with Okta security team to explain why we believed they might be compromised
  • October 19, 2023 – Okta security leadership confirmed they had an internal breach, and BeyondTrust was one of their affected customers.

Okta has experienced multiple security or data breaches in recent years. In March 2022, circulated images showed that a hacking outfit known as Lapsus$ purportedly gained access to an Okta administration panel, allowing it to reset passwords and multifactor authentication credentials for Okta customers. The company said the breach occurred after the hackers compromised a system belonging to one of its subprocessors.

In December 2022, hackers stole Okta source code stored in a company account on GitHub.

Bradbury said Okta has notified all customers whose data was accessed in the recent event. Friday’s post contains IP addresses and browser user agents used by the threat actors that others can use to indicate if they have also been affected. The compromised support management system is separate from Okta’s production service and Auth0/CIC case management system, neither of which was impacted.

https://arstechnica.com/?p=1977688