Okta, an identity tool provider serving numerous businesses, has experienced a security breach targeting its customer support sector, as reported by KrebsOnSecurity. Although Okta has stated that the breach affected a minimal number of clients, evidence suggests that the attackers might have accessed Okta’s support platform for approximately two weeks before the issue was addressed.
On October 19, Okta informed an unspecified group of customers about unauthorized activities that exploited stolen credentials to gain access to Okta’s support system. It appears that certain files uploaded by Okta customers for support-related issues were viewed by the intruder.
Often, when Okta addresses customer issues, it requests a Web browser session recording (known as an HTTP Archive or HAR file). Such files can be delicate, as they might contain customer cookies and session tokens, which can be used by attackers to pose as legitimate users. After recognizing the breach, Okta took protective measures and advised customers to cleanse HAR files of sensitive information before sharing.
BeyondTrust, a security firm and an Okta customer, was alerted about the breach more than two weeks after they had informed Okta about a possible security lapse. Marc Maiffret, BeyondTrust’s CTO, stated that they identified an unauthorized attempt to use an Okta account to create a powerful administrator profile within their Okta system. This incident occurred shortly after sharing an HAR file, containing a valid Okta session token, with Okta’s support.
Although initially dismissive of BeyondTrust’s warning, by October 17, Okta acknowledged and addressed the breach, taking measures like disabling the compromised account and deactivating associated Okta access tokens.
Charlotte Wylie, Okta’s Deputy CISO, confirmed that the affected clients were a tiny fraction of Okta’s 18,000-strong clientele. This breach disclosure follows recent cyberattacks on casino giants like Caesar’s Entertainment and MGM Resorts, where Okta’s multi-factor login settings were manipulated.
Furthermore, in March 2022, Okta revealed a security breach orchestrated by LAPSUS$, a group known for deceiving employees at target companies. Post the incident, it was found that LAPSUS$ had manipulated a support engineer at Sitel, a third-party company with Okta access.
While details about the duration and the perpetrators of the breach remained undisclosed, Wylie indicated that the attacker might be a familiar adversary. “This is a known threat actor that we believe has targeted us and Okta-specific customers,” she commented.