Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Okta Warns of Credential Stuffing Attacks Targeting Cross-Origin Authentication

Okta raises the alarm on credential stuffing attacks targeting endpoints used for cross-origin authentication.

Identity and access management solutions provider Okta is warning customers of credential stuffing attacks targeting the Customer Identity Cloud’s cross-origin authentication feature.

According to Okta, since April 15, threat actors have been using username and password combinations potentially obtained from phishing, malware attacks, or previous data breaches in attempts to compromise some of its customers’ tenants.

“Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks,” the company warned.

According to Okta, customers should review the logs for every tenant to identify any suspicious activity, including failed cross-origin authentication (fcoa), successful attempts (scoa), and attempts to log in using a leaked password (pwd_leak).

“If your tenant does not use cross-origin authentication, but `scoa` or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack,” Okta said.

“If your tenant does use cross-origin authentication and either saw a spike of ‘scoa’ events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack,” the company added.

Customers are advised to immediately rotate any user passwords that might have been compromised in a credential stuffing attack.

To mitigate the risks associated with credential stuffing, Okta recommends enrolling users in passwordless, phishing resistant authentication, such as passkeys, which it supports in all its Auth0 plans.

Advertisement. Scroll to continue reading.

The company also recommends enforcing strong password requirements and implementing multi-factor authentication (MFA), disabling tenants that do not use cross-origin authentication, restricting permitted origins for cross-origin authentication, and enabling breached password detection for tenants.

Okta’s warning comes roughly half a year after the company announced that the names and email addresses of all its customer support system users were stolen in an October 2023 cyberattack. The Auth0/CIC support case management system was not affected.

In September, threat actors targeted Okta’s IT service desk personnel, to convince them to reset MFA for high-privilege users at multiple US-based customers.

Shares of Okta (NASDAQ: OKTA) are trading roughly 5% higher in pre-market trading on Thursday after the company reported earnings on Wednesday and boosted its outlook. The company said it expects revenue of $2.530 billion to $2.540 billion for the full year, representing a growth rate of 12% year-over-year.

Related: Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies

Related: 340,000 Jason’s Deli Customers Potentially Impacted by Credential Stuffing Attack

Related: PayPal Warns Users of Credential Stuffing Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights