Okta confirms breach of support system, exposing customer files

Hackers exploited a stolen credential to gain access to the company's support system

Okta confirms breach of support system, exposing customer files

Image:
Okta confirms breach of support system, exposing customer files

Identity and access management provider Okta has disclosed a recent security breach in its support case management system, which enabled hackers to gain unauthorised access using valid credentials, exposing private customer information.

The breach was disclosed by Okta's chief security officer, David Bradbury, in a blog post on Friday.

According to Bradbury, the hacker exploited a stolen credential to gain unauthorised access to Okta's support case management system.

Within this system, the attacker was able to access browser recording files that had been uploaded by Okta's customers for troubleshooting purposes.

These browser recording sessions, also known as HTTP Archive (HAR) files, are important for diagnosing issues during web browsing sessions.

However, they often contain valuable data, including web cookies and session tokens, which, if stolen, could be utilised to impersonate a legitimate user.

Okta says it promptly responded to the breach by working closely with the affected customers to investigate the incident.

The company has alerted all customers whose data was exposed. It has also released IP addresses and browser user agent information used by the malicious actors, enabling affected parties to verify if they have been impacted.

The breach came to light after suspicious activity was detected by the security firm BeyondTrust.

BeyondTrust, which alerted Okta to the suspicious activity, discovered an attacker using a valid authentication cookie attempting to access one of its in-house Okta administrator accounts earlier in October.

BeyondTrust's access policies initially blocked the attacker's initial actions, but limitations in Okta's security model allowed for some confined actions.

BeyondTrust says it was eventually able to block all access.

The company reported the incident to Okta on 2nd October, but it took more than two weeks for Okta to acknowledge the breach and its impact.

Okta says it has taken measures to safeguard customers, including the revocation of embedded session tokens.

Importantly, it has clarified that the compromised support management system is distinct from its production service and Auth0/CIC case management system, neither of which were affected by this breach.

Bradbury emphasised the importance of sanitising all credentials and cookies/session tokens within HAR files before sharing them, as a precaution.

While Okta has acknowledged the breach, it has not disclosed how the hackers managed to obtain the credentials to access the support system.

Furthermore, it remains unclear whether the compromised support system was secured with two-factor authentication, a best practice in cybersecurity.

Okta provides organisations with identity and access tools, including "single sign-on" solutions that grant employees access to various company resources using a single set of credentials.

The security breach is the latest in a series of incidents for the company.

In December 2022, it disclosed that hackers had stolen some of its source code stored in a GitHub account.

Earlier in the same year, hackers posted screenshots that revealed unauthorised access to Okta's internal network after compromising a company that Okta utilised for customer service.

Okta shares fell by more than 11% after the current announcement.