Hackers stole customer access tokens from Okta’s support unit, admits firm

All customers who were impacted in the security breach have been notified by the company.

San Francisco: Identity and access company Okta has identified “adversarial activity” that leveraged access to a stolen credential to access Okta’s support case management system.

The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases, admitted Okta chief security officer David Bradbury.

“It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted,” he mentioned in a blog post late on Friday.

All customers who were impacted in the security breach have been notified by the company.

Okta provides companies with access and identity tools, such as “single sign-on”. It has more than 18,000 customers with more than 7,000 integrations.

Bradbury said that Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity.

“HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” he informed.

Security firm BeyondTrust, which uses Okta, said that it notified the company of a potential breach on October 2 after it detected an attempted compromise to its network.

The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system.

“BeyondTrust’s own Identity Security Insights tool alerted the team of the attack, and they were able to block all access and verify that that attacker did not gain access to any systems,” said the company.

Okta is recommending its customers to sanitise all credentials and cookies/session tokens within a HAR file before sharing it.

Back to top button