Id companies supplier Okta on Friday disclosed a brand new security incident that allowed unidentified risk actors to leverage stolen credentials to entry its help case administration system.
“The risk actor was in a position to view recordsdata uploaded by sure Okta prospects as a part of current help instances,” David Bradbury, Okta’s chief security officer, stated. “It must be famous that the Okta help case administration system is separate from the manufacturing Okta service, which is totally operational and has not been impacted.”
The corporate additionally emphasised that its Auth0/CIC case administration system was not impacted by the breach, noting it has straight notified prospects who’ve been affected.
Nonetheless, it stated that the client help system can be used to add HTTP Archive (HAR) recordsdata to copy finish consumer or administrator errors for troubleshooting functions.
“HAR recordsdata may comprise delicate information, together with cookies and session tokens, that malicious actors can use to impersonate legitimate customers,” Okta warned.
It additional stated it labored with impacted prospects to make sure that the embedded session tokens have been revoked to forestall their abuse.
Okta didn’t disclose the size of the assault, when the incident happened, and when it detected the unauthorized entry. As of March 2023, it has greater than 17,000 prospects and manages round 50 billion customers.
That stated, BeyondTrust and Cloudflare are among the many two prospects who’ve confirmed they have been focused within the newest help system assault.
“The threat-actor was in a position to hijack a session token from a help ticket which was created by a Cloudflare worker,” Cloudflare stated. “Utilizing the token extracted from Okta, the threat-actor accessed Cloudflare techniques on October 18.”
Describing it as a complicated assault, the net infrastructure and security firm stated the risk actor behind the exercise compromised two separate Cloudflare worker accounts throughout the Okta platform. It additionally stated that no buyer data or techniques have been accessed because of the occasion.
BeyondTrust stated it notified Okta of the breach on October 2, 2023, however the assault on Cloudflare means that the adversary had entry to their help techniques at the least till October 18, 2023.
The id administration companies agency stated its Okta administrator had uploaded a HAR file to the system on October 2 to resolve a help problem, and that it detected suspicious exercise involving the session cookie inside half-hour of sharing the file. The tried assaults towards BeyondTrust have been in the end unsuccessful.
“BeyondTrust instantly detected and remediated the assault by way of its personal id instruments, Id Safety Insights, leading to no affect or publicity to BeyondTrust’s infrastructure or to its prospects,” a spokesperson for the corporate informed The Hacker Information.
The event is the most recent in a protracted listing of security mishaps which have singled out Okta over the previous few years. The corporate has turn out to be a high-value goal for hacking crews for the truth that its single sign-on (SSO) companies are utilized by a number of the largest firms on the planet.
