Okta's Support System Breach Exposes Customer Data to Unidentified Threat Actors
22.10.23  Incindent  The Hacker News

Identity services provider Okta on Friday disclosed a new security incident that allowed unidentified threat actors to leverage stolen credentials to access its support case management system.

"The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases," David Bradbury, Okta's chief security officer, said. "It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted."

The company also emphasized that its Auth0/CIC case management system was not impacted by the breach, noting it has directly notified customers who have been affected.

However, it said that the customer support system is also used to upload HTTP Archive (HAR) files to replicate end user or administrator errors for troubleshooting purposes.

"HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users," Okta warned.

It further said it worked with impacted customers to ensure that the embedded session tokens were revoked to prevent their abuse.

Okta did not disclose the scale of the attack, when the incident took place, and when it detected the unauthorized access. As of March 2023, it has more than 17,000 customers and manages around 50 billion users.

That said, BeyondTrust and Cloudflare are among the two customers who have confirmed they were targeted in the latest support system attack.

"The threat-actor was able to hijack a session token from a support ticket which was created by a Cloudflare employee," Cloudflare said. "Using the token extracted from Okta, the threat-actor accessed Cloudflare systems on October 18."

Describing it as a sophisticated attack, the web infrastructure and security company said the threat actor behind the activity compromised two separate Cloudflare employee accounts within the Okta platform. It also said that no customer information or systems were accessed as a result of the event.

BeyondTrust said it notified Okta of the breach on October 2, 2023, but the attack on Cloudflare suggests that the adversary had access to their support systems at least until October 18, 2023.

The identity management services firm said its Okta administrator had uploaded a HAR file to the system on October 2 to resolve a support issue, and that it detected suspicious activity involving the session cookie within 30 minutes of sharing the file. The attempted attacks against BeyondTrust were ultimately unsuccessful.

"BeyondTrust immediately detected and remediated the attack through its own identity tools, Identity Security Insights, resulting in no impact or exposure to BeyondTrust's infrastructure or to its customers," a spokesperson for the company told The Hacker News.

The development is the latest in a long list of security mishaps that have singled out Okta over the past few years. The company has become a high-value target for hacking crews for the fact that its single sign-on (SSO) services are used by some of the largest companies in the world.

Update:#
In a statement shared with The Hacker News, a spokesperson for Okta said the "breach only affected around 1% of our 18,400 customers."