Identity and access management provider Okta revealed a troubling new security incident on Friday, October 21st. The company stated that threat actors were able to gain unauthorized access to Okta's customer support case management system using compromised credentials.
While Okta emphasized that its core authentication services remain fully operational, this breach resulted in threat actors viewing and potentially stealing sensitive customer data that had been uploaded as part of support cases.
Specifically, Okta noted that the customer support system is also used to upload HTTP Archive (HAR) files to replicate end-user or administrator errors for troubleshooting purposes. These HAR files can contain highly sensitive information such as session cookies and tokens that could allow an attacker to impersonate legitimate users.
Okta has mentioned that the company has directly notified customers impacted by this breach, though it has not disclosed the overall number affected, the timeline of the incident, or when unauthorized access was first detected.
Cloudflare and BeyondTrust were Affected by Okta Hack
At least two known impacted customers are Cloudflare and BeyondTrust.
Cloudflare reported that the attackers leveraged a hijacked internal support ticket session token on October 18th to gain access to some of its systems. While Cloudflare stated that no customer data was exposed, it highlights that the threat actors had access to Okta's support platform for an extended period.
BeyondTrust notified Okta of suspicious activity on October 2nd after a company administrator uploaded a HAR file to the support case system. Within 30 minutes, BeyondTrust detected and blocked exploitation attempts against its infrastructure. The company credited its own identity monitoring tools with preventing any further exposure or impact from the stolen Okta credentials.
This troubling security lapse is the latest in a series of incidents impacting Okta in recent years. As one of the largest enterprise identity and single sign-on providers with over 17,000 customers, Okta has become a high-value target. However, this breach specifically highlights the risk of using support portals to handle sensitive customer data that could become compromised.
While Okta stated it has revoked the impacted session tokens, this event serves as an alarming case study of how savvy attackers with stolen internal credentials can potentially pivot to access customer data through secondary systems like support portals.
It underscores the need for heightened security across an organization's entire digital footprint, not just its core platform. For Okta, this breach will likely deal another blow to its reputation as a trusted custodian of identity management solutions.
The company will need to determine how threat actors obtained the internal credentials as well as implement enhanced monitoring to detect unauthorized access attempts across its various customer-facing systems going forward. This incident proves that despite its strategic business role, Okta is still vulnerable to security failures that put both its own data and its customers at risk.
Okta Hit With Series of Security Incidents Over Past Two Years
The newly disclosed breach of Okta's customer support portal is the latest in a string of security incidents impacting the identity management provider over the past two years.
In January 2022, the extortion group Lapsus$ gained access to Okta's internal systems and some customer data. Then in August 2022, threat actors known as Scatter Swine or 0ktapus breached Twilio and stole one-time passwords delivered via SMS to Okta users.
Okta's recently acquired authentication subsidiary Auth0 also suffered a breach in September 2022, with threat actors stealing source code from older repositories using an unknown method.
And in December 2022, Okta revealed that its own source code had been stolen after hackers compromised its private GitHub repositories.
While the specific details and impacts have varied, this series of security lapses point to systemic issues plaguing Okta when it comes to defending both its own systems and customer data.
As a trusted provider of identity and access management solutions for thousands of major enterprises, Okta has become an increasingly high-value target for sophisticated hackers. However, the repeated incidents over the past two years indicate potential gaps in Okta's cybersecurity posture across its services and internal operations.
Okta will need to conduct thorough investigations into each breach scenario and bolster its defenses across the board. The company faces renewed scrutiny of its security standards and practices.
While no provider can guarantee full protection, Okta will have to demonstrate that it is taking decisive action to harden its systems, monitoring, and response plans. Okta's customers will also likely re-evaluate their own security strategies in light of this troubling pattern of compromises afflicting a core identity provider.