Okta support system hacked with stolen credentials

Sicherheit (Pexels, allgemeine Nutzung)[German]Okta's support system has been compromised with stolen credentials. Vendor Okta (provider of authentication services in the cloud) just admitted that. The attacker was able to view files uploaded by certain Okta customers as part of recent support cases. The vendor is now asking customers to renew their credentials.


Icame across this article from Okta via the following post by Will Dormann, which discloses the facts of the matter. The Okta security team has identified an attacker who used stolen credentials to gain access to Okta's support case management system.Credentials Hacked

The attacker was able to view files uploaded to the support system by certain Okta customers as part of current support cases.

The vendor states that the Okta support case management system is separate from the Okta production service. The Okta production service is fully operational and has not been impacted, it says. In addition, the Auth0/CIC case management system has not been affected by this incident.

Okta writes that all customers affected by this incident have been notified. Okta says anyone who is an Okta customer and learns of the incident through the media or is contacted through a third party will not be affected.


How could this happen?

The vendor states that Okta Support asks its customers to upload an HTTP archive file (HAR) for support cases. This HAR file enables troubleshooting by replicating browser activity. The problem: HAR files can also contain sensitive data, including cookies and session tokens. Malicious actors can use the cookies and session tokens contained in HAR files to impersonate legitimate users. This is likely exactly what happened in the current case.

Okta has been working with affected customers to investigate the issue and has taken steps to protect all customers. This includes revoking embedded session tokens. In general, Okta recommends cleaning up all credentials and cookies/session tokens in a HAR file before sharing them.

Further notes

Okta has listed indicators of compromise (IP addresses) in its article, which could be used to conduct its own compromise analysis. An article at Bleeping Computer states that the attack was discovered by identity management company BeyondTrust, as an affected customer.

BeyondTrust's security team discovered and blocked an attempt to log into an internal Okta administrator account on October 2, 2023. This attempt used a cookie stolen from Okta's support system. The issue was documented by BeyondTrust in this blog post.

BeyondTrust writes that they informed Okta on October 2, 2023 about the concern and suspicion of a hack. BeyondTrust provided the company with forensic data showing that Okta's support organization had been compromised. Since there had been no confirmation from Okta of a possible security breach, the incident was further escalated to Okta. On October 19, Okta security management confirmed that a security breach had indeed occurred and that BeyondTrust was one of the affected customers.

BeyondTrust says the attack was thwarted by "custom policy controls," but due to "limitations in Okta's security model," the attacker was able to perform "a few limited actions." Still, the attacker was unable to gain access to the company's systems, and the company's customers were not affected. According to Bleeping Computer, Cloudflare is also a customer affected by this incident.

Similar articles:
Authentication service OKTA hacked by Lapsus$?
Lapsus$ hacks: statements from Okta and Microsoft
Okta admits a mistake regarding disclosure in "Lapsus$ hack"


Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *