Okta customers may be at risk after a threat actor broke into Okta’s customer support systems and stole sensitive files which could expose customer networks to hackers.
In a blog post released Friday, Australian David Bradbury, chief security officer at corporate authentication company Okta, said a threat actor was able to access the company’s support case management system using a stolen credential.
From there, the hacker(s) was able to view sensitive browser logging files which were uploaded by “certain Okta customers” during recent support cases.
The files themselves – commonly referred to as HTTP Archive (HAR) files – are typically used in troubleshooting to replicate browser activity and allow for analysis of a web browser’s interactions with a given site.
While leaked browser activity is enough to a pose a notable risk to users alone, HAR files also contain sensitive data such as cookies and session tokens which can be leveraged to impersonate valid users.
To make matters worse, this can be done without a password or two-factor authentication.
“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” said Bradbury.
“All customers who were impacted by this have been notified.”
Bradbury further explained the support case management system compromised during the incident is separate to Okta’s production service – which remains “fully operational” and “has not been impacted” – although he did not detail how hackers gained access to a stolen credential in the first instance.
About 1 per cent of Okta customers are reportedly affected by this breach, which is a significant number given Okta’s ubiquity in corporate spaces.
Password manager 1Password – which is used by over 100,000 businesses – has already linked the incident to suspicious activity it detected.
“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” said 1Password CTO Pedro Canahuati.
“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”
Although a thorough investigation concluded no 1Password user data was accessed, it wasn’t until 20 October that the company confirmed the activity was a result of Okta’s support system breach.
Security firm BeyondTrust, another customer of Okta, said it notified Okta of a potential breach on 2 October after it detected an attempted “identity-centric attack” on one of its in-house Okta administrator accounts.
BeyondTrust immediately detected and remediated the attack through its own tools and was quick to point out Okta’s connection to the attack.
“The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers,” said BeyondTrust.
“Okta have now issued this statement confirming the breach that we detected nearly three weeks ago.
“Again, while there was no exposure to BeyondTrust or our customers, we are sharing details of the attack to educate other Okta users and infosec professionals.”
IT service management company Cloudflare further lambasted Okta after it detected unauthorised access to an Okta instance on 18 October, urging Okta to implement best practices such as taking “any report of compromise seriously” and acting immediately to “limit the damage”.
This incident is far from the first at Okta.
In 2022, the company admitted hackers stole some of its source code, security researchers managed to trick Okta’s authentication app into providing malicious access to other users’ data and services, and hackers posted a series of screenshots showing access to the company’s internal network.
