On October 20, 2023, Okta disclosed a security incident affecting their customer support management system. In a note following that disclosure Okta said that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens which were later successfully used in session hijacking attacks with Okta customers. Subsequent analysis by Okta found that the attacker behind its September data breach stole more information than it first discovered, including details for all users of its primary customer support system. On Nov. 29, 2023, Okta released a public statement about this incident with an update and recommended actions for Okta customers.
As per Okta, the hackers leveraged a service account stored in the system itself that was granted permissions to view and update customer support cases. During their investigation into the suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential was the compromise of the employee’s personal Google account or personal device.
On Nov 29, Okta disclosed that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in Okta FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.
Given that names and email addresses were downloaded, Okta has assessed that there is an increased risk of phishing and social engineering attacks directed at these users. While 94% of Okta customers already require MFA for their administrators, Okta is recommending ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security, such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV or CAC smart cards, and refer to Okta product documentation to enable MFA for the admin console (Classic or OIE). Full details on Okta recommendations are available in the public statement released by Okta CSO David Bradbury on Nov 29, 2023.
Okta customers may be vulnerable to phishing and other social engineering attacks in the wake of Okta security incident. Phishing is often used to steal identity (login credentials) and credit card information but could also lead to endpoint attacks in which the user device or browser is compromised, leading to network attacks such as ransomware.
Versa security protections protect customers against identity and endpoint attacks arising from Okta security incident:
Versa ZTNA extends to the local on-premises environments, and Zero Trust access is similarly enforced for users in the branch, campus or data center, limiting lateral movement inside the network.
Subscribe to the Versa Blog
Gartner Research Report
Trial
ROI
Contact