CISO Strategy

Okta Hack Blamed on Employee Using Personal Google Account on Company Laptop

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Okta hack

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop, exposing credentials that led to the theft of data from multiple Okta customers.

A brief post-mortem from Okta security chief David Bradbury said the internal lapse was the “most likely avenue” for the breach that ensnared hundreds of Okta customers, including cybersecurity companies BeyondTrust and Cloudflare.

“We can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” Bradbury said in a note that contains a detailed timeline of the incident.

He said the threat actor was able to use these session tokens to hijack the legitimate Okta sessions of five customers.

Bradbury said the hackers leveraged a service account stored in the system itself that was granted permissions to view and update customer support cases. 

“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account,” he said.

“The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

Bradbury fessed up to a failure of internal controls to spot the breach. “For a period of 14 days, while actively investigating, Okta did not identify suspicious downloads in our logs. When a user opens and views files attached to a support case, a specific log event type and ID is generated tied to that file. If a user instead navigates directly to the Files tab in the customer support system, as the threat actor did in this attack, they will instead generate an entirely different log event with a different record ID.”

Advertisement. Scroll to continue reading.

The Okta chief security officer said his team’s initial investigations focused on access to support cases and later made a major breakthrough after BeyondTrust shared a suspicious IP address attributed to the threat actor. 

“With this indicator, we identified the additional file access events associated with the compromised account,” Bradbury explained.

Okta has found itself in the crosshairs of multiple hacking groups that target its infrastructure to break into third-party organizations. 

In September, Okta said a sophisticated hacking group  targeted IT service desk personnel in an effort to convince them to reset multi-factor authentication (MFA) for high-privilege users within the targeted organization. 

In that attack, Okta said hackers used new lateral movement and defense evasion methods, but it has not shared any information on the threat actor itself or its ultimate goal. It’s unclear if it’s related, but last year many Okta customers were targeted as part of a financially motivated cybercrime campaign named 0ktapus

Related: Okta Support System Hacked, Sensitive Customer Data Stolen

Related: Okta Says US Customers Targeted in Sophisticated Attacks

Related: Okta Confirms Source Code Stolen by Hackers

Related: Microsoft, Okta Confirm Data Breaches Via Compromised Accounts

Related: Okta Closes Lapsus$ Breach Probe, Adds New Security Controls

Related Content

Identity & Access

Prominent security vendors Okta and Proofpoint announced layoffs affecting almost 1,000 employees in the United States and Israel.

Nation-State

A nation-state threat actor accessed internal Cloudflare systems using credentials stolen during the Okta hack.

Funding/M&A

Okta agreed to acquire Spera Security in a move broaden Okta’s Identity threat detection and security posture management capabilities.

Identity & Access

Okta expands scope of October breach, saying hackers stole names and email addresses of all its customer support system users.

Data Breaches

Okta warns that hackers broke into its support case management system and stole sensitive data that can be used to impersonate valid users.

Identity & Access

Okta says some of its US-based customers have been targeted in social engineering attacks whose goal was to disable MFA and obtain high privileges.

Malware & Threats

Threat actors have been observed abusing the open source Cloudflare Tunnel tool Cloudflared to maintain stealthy, persistent access to compromised systems.

Application Security

Cloudflare introduces Secrets Store, a new solution to help developers and organizations securely store and manage secrets.

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version