Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Okta Support System Hacked, Sensitive Customer Data Stolen

Okta warns that hackers broke into its support case management system and stole sensitive data that can be used to impersonate valid users.

Identity and access management tech firm Okta on Friday warned that hackers broke into its support case management system and stole sensitive data that can be used to impersonate valid users.

A security notice from Okta security chief David Bradbury said the company found “adversarial activity” that leveraged access to a stolen credential to access the support case management system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Bradbury said, cautioning that the stolen data includes sensitive cookies and session tokens for additional attacks.

From the Okta advisory:

Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. 

Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it. 

Bradbury said the compromised Okta support case management system is separate from the production Okta service, which was not impacted and remains fully operational.  He said the Auth0/CIC case management system was also not impacted by this incident.

Okta released a list of suspicious IP addresses (the majority are commercial VPN nodes) and recommended that customers search System Logs for any given suspicious session, user or IP.  

Advertisement. Scroll to continue reading.

In a separate alert, security firm BeyondTrust said it was a target of a cyberattack linked to this Okta support system breach.

“The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system. Custom policy controls blocked the attacker’s initial activity, but limitations in Okta’s security model allowed them to perform a few confined actions,” BeyondTrust said.

Okta has found itself in the crosshairs of multiple hacking groups that target its infrastructure to break into third-party organizations. 

Just last month, Okta said a sophisticated hacking group  targeted IT service desk personnel in an effort to convince them to reset multi-factor authentication (MFA) for high-privilege users within the targeted organization. 

In that attack, Okta said hackers used new lateral movement and defense evasion methods, but it has not shared any information on the threat actor itself or its ultimate goal. It’s unclear if it’s related, but last year many Okta customers were targeted as part of a financially motivated cybercrime campaign named 0ktapus

Related: Okta Says US Customers Targeted in Sophisticated Attacks

Related: Okta Confirms Source Code Stolen by Hackers

Related: Microsoft, Okta Confirm Data Breaches Via Compromised Accounts

Related: Okta Closes Lapsus$ Breach Probe, Adds New Security Controls

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer.

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights