"Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event" Okta wrote.
The threat actors successfully used the stolen session tokens to hijack the Okta accounts. Three affected customers - 1Password, BeyondTrust, and Cloudflare - had already publicly disclosed unauthorized login attempts to their Okta administrator accounts.
Okta believes the attackers obtained the credentials for a customer support account by compromising an employee's personal Google account. The employee had accessed their personal account on an Okta-managed laptop.
Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device. - Okta wrote.
In response, Okta has disabled the compromised account, blocked personal Google usage on company devices, and implemented additional monitoring. The company has notified all potentially impacted customers.
This latest incident follows other breaches at Okta over the past two years. In December 2022, source code was stolen from Okta's GitHub repositories. In March 2022, the extortion group Lapsus$ claimed a breach impacting 2.5% of Okta's customers.
Okta processes authentication requests for thousands of organizations worldwide. The company stated that less than 1% of its total customers were affected by this breach. However, the ability to hijack user sessions enables significant account compromise.
Organizations relying on Okta for identity management should urgently review Okta's remediation steps and watch for any suspicious activity. Experts say the repeated breaches highlight the extensive attack surface introduced by third-party identity providers.