Okta says attackers who breached its buyer help system final month gained entry to recordsdata belonging to 134 clients, 5 of them later being focused in session hijacking assaults with the assistance of stolen session tokens.
“From September 28, 2023 to October 17, 2023, a menace actor gained unauthorized entry to recordsdata inside Okta’s buyer help system related to 134 Okta clients, or lower than 1% of Okta clients,” Okta revealed.
“A few of these recordsdata had been HAR recordsdata that contained session tokens which may in flip be used for session hijacking assaults. The menace actor was ready to make use of these session tokens to hijack the authentic Okta classes of 5 clients, 3 of whom have shared their very own response to this occasion.”
The three Okta clients that already disclosed they had been focused because of the firm’s October safety breach are 1Password, BeyondTrust, and Cloudflare. All of them notified Okta of suspicious exercise after detecting unauthorized makes an attempt to log into in-house Okta administrator accounts.
Regardless of being alerted about session hijacking makes an attempt on September 29, Okta took over two weeks to formally affirm the breach of their help system after a number of conferences with the three affected clients.
To breach Okta’s help system, the menace actors used credentials for a help service account stolen from an worker’s private Google account after they logged into their private Google profile whereas utilizing an Okta-managed laptop computer.
Whereas Okta did not share how the attackers stole the service account credentials, the corporate mentioned that “the most probably avenue for publicity of this credential is the compromise of the worker’s private Google account or private machine.”
In response to the breach, Okta took a number of measures to forestall comparable incidents sooner or later, together with disabling the compromised service account, blocking using private Google profiles with Google Chrome on Okta-managed units, deploying further detection and monitoring guidelines for its buyer help system, and binding Okta administrator session tokens primarily based on community location.
“We’ve got notified all clients of our findings and have accomplished remediations to guard all our clients. We apologize to all our clients that belief Okta as their id supplier,” Okta instructed BleepingComputer after the article was revealed.
A number of hits during the last two years
Earlier this week, Okta warned almost 5,000 present and former workers that their private data was uncovered after its healthcare protection supplier, Rightway Healthcare, was breached on September 23.
Delicate data uncovered on this third-party breach consists of workers’ full names, their social safety numbers (SSNs), and Well being or Medical Insurance coverage plan numbers.
Over the past two years, Okta has skilled a number of different breaches resulting from credential theft and social engineering assaults.
In December 2022, Okta acknowledged a safety breach the place hackers accessed confidential supply code data saved inside its non-public GitHub repositories.
Okta subsidiary Auth0 additionally disclosed that the contents of some older supply code repositories had been stolen by unknown attackers utilizing an unknown methodology.
Replace November 03, 10:45 EDT: Added assertion from Okta.