Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop, exposing credentials that led to the theft of data from multiple Okta customers.
A brief post-mortem from Okta security chief David Bradbury said the internal lapse was the “most likely avenue” for the breach that ensnared hundreds of Okta customers, including cybersecurity companies BeyondTrust and Cloudflare.
“We can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” Bradbury said in a note that contains a detailed timeline of the incident.
He said the threat actor was able to use these session tokens to hijack the legitimate Okta sessions of five customers.
Bradbury said the hackers leveraged a service account stored in the system itself that was granted permissions to view and update customer support cases.
“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account,” he said.
“The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”
Bradbury fessed up to a failure of internal controls to spot the breach. “For a period of 14 days, while actively investigating, Okta did not identify suspicious downloads in our logs. When a user opens and views files attached to a support case, a specific log event type and ID is generated tied to that file. If a user instead navigates directly to the Files tab in the customer support system, as the threat actor did in this attack, they will instead generate an entirely different log event with a different record ID.”
The Okta chief security officer said his team’s initial investigations focused on access to support cases and later made a major breakthrough after BeyondTrust shared a suspicious IP address attributed to the threat actor.
“With this indicator, we identified the additional file access events associated with the compromised account,” Bradbury explained.
Okta has found itself in the crosshairs of multiple hacking groups that target its infrastructure to break into third-party organizations.
In September, Okta said a sophisticated hacking group targeted IT service desk personnel in an effort to convince them to reset multi-factor authentication (MFA) for high-privilege users within the targeted organization.
In that attack, Okta said hackers used new lateral movement and defense evasion methods, but it has not shared any information on the threat actor itself or its ultimate goal. It’s unclear if it’s related, but last year many Okta customers were targeted as part of a financially motivated cybercrime campaign named 0ktapus.