Okta says attackers accessed files containing cookies and session tokens uploaded by customers to its support management system after breaching it using stolen credentials.
“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” said Okta’s Chief Security Officer David Bradbury.
“It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted.”
Okta’s CSO added that this incident did not impact the Auth0/CIC case management system. Okta notified all customers’ whose Okta environment or support tickets were impacted by the incident. Those who haven’t received an alert are not affected.
Session tokens and cookies exposed
While the company has yet to provide details on what customer information was exposed or accessed in the breach, the support case management system breached in this attack was also used to store HTTP Archive (HAR) files used to replicate user or administrator errors to troubleshoot various issues reported by users.
They also contain sensitive data, such as cookies and session tokens, which threat actors could use to hijack customer accounts.
“HAR files represent a recording of browser activity and possibly contain sensitive data, including the content of the pages visited, headers, cookies, and other data,” Okta explains on its support portal.
“While this allows Okta staff to replicate browser activity and troubleshoot issues, malicious actors could use these files to impersonate you.”
The company worked with affected customers during the incident investigation and revoked session tokens embedded in shared HAR files. It now advises all customers to sanitize their HAR files before sharing to ensure they don’t include credentials and cookies/session tokens.
Okta also shared a list of indicators of compromise observed during the investigation, including IP addresses and web browser User-Agent information linked to the attackers.
Instead, the spokesperson said the support system “is separate from the production Okta service, which is fully operational and has not been impacted. We have notified impacted customers and taken measures to protect all our customers.”
Breach discovered by BeyondTrust after breach attempt
Identity management BeyondTrust says it was one of the affected customers and provided additional insight into the incident.
BeyondTrust’s security team detected and blocked an attempt to log into an in-house Okta administrator account on October 2 using a cookie stolen from Okta’s support system.
While BeyondTrust contacted Okta and provided them with forensics data showing that their support organization was compromised, it took Okta over two weeks to confirm the breach.
“We raised our concerns of a breach to Okta on October 2nd. Having received no acknowledgment from Okta of a possible breach, we persisted with escalations within Okta until October 19th when Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers,” BeyondTrust said.
BeyondTrust says the attack was thwarted by “custom policy controls,” but due to “limitations in Okta’s security model,” the malicious actor was able to perform “a few confined actions.”
Despite this, the company says the attacker did not gain access to any of its systems, and its customers were not impacted.
BeyondTrust also shared the following attack timeline:
- October 2, 2023 – Detected and remediated an identity-centric attack on an in-house Okta administrator account and alerted Okta
- October 3, 2023 – Asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within Okta support organization
- October 11, 2023, and October 13, 2023 – Held Zoom sessions with Okta security team to explain why we believed they might be compromised
- October 19, 2023 – Okta security leadership confirmed they had an internal breach, and BeyondTrust was one of their affected customers.
Cloudflare also affected
Cloudflare also discovered malicious activity linked to Okta’s breach on its servers on Wednesday, October 18, 2023.
“While this was a troubling security incident, our Security Incident Response Team’s (SIRT) real-time detection and prompt response enabled containment and minimized the impact to Cloudflare systems and data,” the company said.
“We have verified that no Cloudflare customer information or systems were impacted by this event.”
The attackers leveraged an authentication token stolen from Okta’s support system to pivot into Cloudflare’s Okta instance using an open session with Administrative privileges.
Cloudflare contacted Okta regarding the incident 24 hours before they were alerted of the breach impacting Okta’s systems.
“It appears that in our case, the threat actor was able to hijack a session token from a support ticket that was created by a Cloudflare employee. Using the token extracted from Okta, the threat actor accessed Cloudflare systems on October 18,” Cloudflare said.
“In this sophisticated attack, we observed that threat actors compromised two separate Cloudflare employee accounts within the Okta platform. “
Multiple security incidents in less than 2 years
Last year, Okta disclosed that some of its customers’ data was exposed after the Lapsus$ data extortion group gained access to its administrative consoles in January 2022.
One-time passwords (OTPs) delivered to Okta customers over SMS were also stolen by the Scatter Swine threat group (aka 0ktapus), which breached cloud communications company Twilio in August 2022.
Okta-owned authentication service provider Auth0 also disclosed in September that some older source code repositories were stolen from its environment using an unknown method.
Okta revealed its own source code theft incident in December after the company’s private GitHub repositories were hacked.
