Replace October 20, 16:15 EDT: Added BeyondTrust incident particulars.
Okta says attackers accessed recordsdata containing cookies and session tokens uploaded by clients to its assist administration system after breaching it utilizing stolen credentials.
“The menace actor was in a position to view recordsdata uploaded by sure Okta clients as a part of current assist circumstances,” stated Okta’s Chief Safety Officer David Bradbury.
“It needs to be famous that the Okta assist case administration system is separate from the manufacturing Okta service, which is absolutely operational and has not been impacted.”
Okta’s CSO added that this incident didn’t influence the Auth0/CIC case administration system. Okta notified all clients’ whose Okta setting or assist tickets have been impacted by the incident. Those that have not obtained an alert are usually not affected.
Session tokens and cookies uncovered
Whereas the corporate has but to supply particulars on what buyer info was uncovered or accessed within the breach, the assist case administration system breached on this assault was additionally used to retailer HTTP Archive (HAR) recordsdata used to copy consumer or administrator errors to troubleshoot numerous points reported by customers.
Additionally they comprise delicate knowledge, corresponding to cookies and session tokens, which menace actors might use to hijack buyer accounts.
“HAR recordsdata characterize a recording of browser exercise and probably comprise delicate knowledge, together with the content material of the pages visited, headers, cookies, and different knowledge,” Okta explains on its assist portal.
“Whereas this enables Okta employees to copy browser exercise and troubleshoot points, malicious actors might use these recordsdata to impersonate you.”
The corporate labored with affected clients in the course of the incident investigation and revoked session tokens embedded in shared HAR recordsdata. It now advises all clients to sanitize their HAR recordsdata earlier than sharing by making certain they do not embrace credentials and cookies/session tokens.
Okta additionally shared a listing of indicators of compromise noticed in the course of the investigation, together with IP addresses and internet browser Person-Agent info linked to the attackers.
An Okta spokesperson didn’t reply to questions concerning the date of the breach and what number of clients have been affected when BleepingComputer reached out earlier at the moment.
As an alternative, the spokesperson stated the assist system “is separate from the manufacturing Okta service, which is absolutely operational and has not been impacted. Now we have notified impacted clients and brought measures to guard all our clients.”
Breach found by BeyondTrust after breach try
Identification administration BeyondTrust says it was one of many affected clients and offered further perception into the incident.
BeyondTrust’s security crew detected and blocked an try to log into an in-house Okta administrator account on October 2 utilizing a cookie stolen from Okta’s assist system.
Whereas BeyondTrust contacted Okta and offered them with forensics knowledge exhibiting that their assist group was compromised, it took Okta over two weeks to substantiate the breach.
“We raised our issues of a breach to Okta on October 2nd. Having obtained no acknowledgement from Okta of a attainable breach, we continued with escalations inside Okta till October nineteenth when Okta security management notified us that that they had certainly skilled a breach and we have been certainly one of their affected buyer,” BeyondTrust stated.
BeyondTrust says the assault was thwarted by “customized coverage controls,” however attributable to “limitations in Okta’s security mannequin,” the malicious actor was in a position to carry out “a couple of confined actions.”
Regardless of this, the corporate says the attacker didn’t achieve entry to any of its methods, and its clients weren’t impacted.
BeyondTrust additionally shared the next assault timeline:
October 2, 2023 – Detected and remediated identity-centric assault on an in-house Okta administrator account and alerted Okta
October 3, 2023 – Requested Okta assist to escalate to Okta security crew given preliminary forensics pointing to a compromise inside Okta assist group
October 11, 2023 and October 13, 2023 – Held Zoom periods with Okta security crew to clarify why we believed they may be compromised
October 19, 2023 – Okta security management confirmed that they had an inner breach, and BeyondTrust was certainly one of their affected clients.
A number of security incidents in lower than 2 years
Final 12 months, Okta disclosed that a few of its clients’ knowledge was uncovered after the Lapsus$ knowledge extortion group gained entry to its administrative consoles in January 2022.
One-time passwords (OTPs) delivered to Okta clients over SMS have been additionally stolen by the Scatter Swine menace group (aka 0ktapus), which breached cloud communications firm Twilio in August 2022.
Okta-owned authentication service supplier Auth0 additionally disclosed in September that some older supply code repositories have been stolen from its setting utilizing an unknown technique.
Okta revealed its personal supply code theft incident in December after the corporate’s non-public GitHub repositories have been hacked.