Id and authentication administration supplier Okta on Friday disclosed that the current assist case administration system breach affected 134 of its 18,400 clients.
It additional famous that the unauthorized intruder gained entry to its methods from September 28 to October 17, 2023, and finally accessed HAR recordsdata containing session tokens that might be used for session hijacking assaults.
“The menace actor was in a position to make use of these session tokens to hijack the legit Okta classes of 5 clients,” Okta’s Chief Safety Officer, David Bradbury, mentioned.
Three of these affected embrace 1Password, BeyondTrust, and Cloudflare. 1Password was the primary firm to report suspicious exercise on September 29. Two different unnamed clients had been recognized on October 12 and October 18.
Now, the corporate has shared some extra particulars of how this occurred.
It mentioned the entry to Okta’s buyer assist system abused a service account saved within the system itself, which had privileges to view and replace buyer assist instances.
Additional investigation revealed that the username and password of the service account had been saved to an worker’s private Google account and that the person had signed-in to their private account on the Chrome net browser of their Okta-managed laptop computer.
“The most certainly avenue for publicity of this credential is the compromise of the worker’s private Google account or private gadget,” Bradbury mentioned.
Okta has since revoked the session tokens embedded within the HAR recordsdata shared by the affected clients and disabled the compromised service account.
It has additionally blocked using private Google profiles inside enterprise variations of Google Chrome, stopping its workers from signing in to their private accounts on Okta-managed laptops.
“Okta has launched session token binding based mostly on community location as a product enhancement to fight the specter of session token theft towards Okta directors,” Bradbury mentioned.
“Okta directors are actually compelled to re-authenticate if we detect a community change. This function could be enabled by clients within the early entry part of the Okta admin portal.”
The event comes days after Okta revealed that private data belonging to 4,961 present and former workers was uncovered after its healthcare protection vendor, Rightway Healthcare, was breached on September 23, 2023. Compromised information included names, Social Safety numbers, and well being or medical insurance coverage.