Threat actors breached Okta support system and stole customers’ data

Okta revealed that threat actors breached its support case management system and stole sensitive data that can be used in future attacks.

Okta says that threat actors broke into its support case management system and stole authentication data, including cookies and session tokens, that can be abused in future attacks to impersonate valide users.

Okta asks customers to upload an HTTP Archive (HAR) file in order to support them in solving their problems and replicating browser activity. HAR files can also contain sensitive data, including authentication information.

“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.” reads data breach notification published by the company.

According to the advisory published by the company, Okta Security has identified adversarial activity abusing access to a stolen credential to gain access Okta’s support case management system.

The attackers gained access to files uploaded by certain Okta customers as part of some recent support cases.

The company pointed out that the breached system is separate from the production Okta service, which was not impacted. The company states that the Auth0/CIC case management system is not impacted and it has already notified all impacted customers.

Okta worked with impacted customers to investigate the security breach, it also announced it has taken measures to protect them. The company revoked embedded session tokens and recommended sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.

The advisory includes a list of suspicious IP addresses that customers can use to detect potentially malicious activity.

“We recommend referring to our previously published advice on how to search System Log for any given suspicious session, user or IP. Please note that the majority of the indicators are commercial VPN nodes according to our enrichment information.” concludes the advisory.

In earlies September, Okta warned customers of social engineering attacks carried out in recent weeks by threat actors to obtain elevated administrator permissions. The attacks targeted IT service desk staff to trick them into resetting all multi-factor authentication (MFA) factors enrolled by highly privileged users. The company did not attribute the attack to a specific threat actor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Okta)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.