Data Breaches

Okta Support System Hacked, Sensitive Customer Data Stolen

Okta warns that hackers broke into its support case management system and stole sensitive data that can be used to impersonate valid users.

Identity and access management tech firm Okta on Friday warned that hackers broke into its support case management system and stole sensitive data that can be used to impersonate valid users.

A security notice from Okta security chief David Bradbury said the company found “adversarial activity” that leveraged access to a stolen credential to access the support case management system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Bradbury said, cautioning that the stolen data includes sensitive cookies and session tokens for additional attacks.

From the Okta advisory:

Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. 

Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it. 

Bradbury said the compromised Okta support case management system is separate from the production Okta service, which was not impacted and remains fully operational.  He said the Auth0/CIC case management system was also not impacted by this incident.

Okta released a list of suspicious IP addresses (the majority are commercial VPN nodes) and recommended that customers search System Logs for any given suspicious session, user or IP.  

Advertisement. Scroll to continue reading.

In a separate alert, security firm BeyondTrust said it was a target of a cyberattack linked to this Okta support system breach.

“The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system. Custom policy controls blocked the attacker’s initial activity, but limitations in Okta’s security model allowed them to perform a few confined actions,” BeyondTrust said.

Okta has found itself in the crosshairs of multiple hacking groups that target its infrastructure to break into third-party organizations. 

Just last month, Okta said a sophisticated hacking group  targeted IT service desk personnel in an effort to convince them to reset multi-factor authentication (MFA) for high-privilege users within the targeted organization. 

In that attack, Okta said hackers used new lateral movement and defense evasion methods, but it has not shared any information on the threat actor itself or its ultimate goal. It’s unclear if it’s related, but last year many Okta customers were targeted as part of a financially motivated cybercrime campaign named 0ktapus

Related: Okta Says US Customers Targeted in Sophisticated Attacks

Related: Okta Confirms Source Code Stolen by Hackers

Related: Microsoft, Okta Confirm Data Breaches Via Compromised Accounts

Related: Okta Closes Lapsus$ Breach Probe, Adds New Security Controls

Related Content

Malware & Threats

Okta raises the alarm on credential stuffing attacks targeting endpoints used for cross-origin authentication.

Identity & Access

Prominent security vendors Okta and Proofpoint announced layoffs affecting almost 1,000 employees in the United States and Israel.


Okta agreed to acquire Spera Security in a move broaden Okta’s Identity threat detection and security posture management capabilities.

Identity & Access

Okta expands scope of October breach, saying hackers stole names and email addresses of all its customer support system users.


Under the new rules, wireless carriers are required to notify customers of any SIM transfer requests, a measure designed to thwart fraudulent attempts by...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Identity & Access

Okta says some of its US-based customers have been targeted in social engineering attacks whose goal was to disable MFA and obtain high privileges.


A UK court has found a teenager responsible for a hacking campaign that included one of the biggest breaches in the history of the...

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version