Identification and authentication administration supplier Okta on Friday disclosed that the latest help case administration system breach affected 134 of its 18,400 prospects.
It additional famous that the unauthorized intruder gained entry to its methods from September 28 to October 17, 2023, and in the end accessed HAR recordsdata containing session tokens that may very well be used for session hijacking assaults.
“The risk actor was ready to make use of these session tokens to hijack the professional Okta periods of 5 prospects,” Okta’s Chief Safety Officer, David Bradbury, mentioned.
Three of these affected embody 1Password, BeyondTrust, and Cloudflare. 1Password was the primary firm to report suspicious exercise on September 29. Two different unnamed prospects had been recognized on October 12 and October 18.
Okta formally revealed the security occasion on October 20, stating that the risk actor leveraged entry to a stolen credential to entry Okta’s help case administration system.
Now, the corporate has shared some extra particulars of how this occurred.
It mentioned the entry to Okta’s buyer help system abused a service account saved within the system itself, which had privileges to view and replace buyer help instances.
Additional investigation revealed that the username and password of the service account had been saved to an worker’s private Google account and that the person had signed-in to their private account on the Chrome internet browser of their Okta-managed laptop computer.
“The most probably avenue for publicity of this credential is the compromise of the worker’s private Google account or private system,” Bradbury mentioned.
Okta has since revoked the session tokens embedded within the HAR recordsdata shared by the affected prospects and disabled the compromised service account.
It has additionally blocked the usage of private Google profiles inside enterprise variations of Google Chrome, stopping its workers from signing in to their private accounts on Okta-managed laptops.
“Okta has launched session token binding based mostly on community location as a product enhancement to fight the specter of session token theft in opposition to Okta directors,” Bradbury mentioned.
“Okta directors are actually compelled to re-authenticate if we detect a community change. This characteristic could be enabled by prospects within the early entry part of the Okta admin portal.”
The event comes days after Okta revealed that non-public data belonging to 4,961 present and former workers was uncovered after its healthcare protection vendor, Rightway Healthcare, was breached on September 23, 2023. Compromised information included names, Social Safety numbers, and well being or medical insurance coverage.