Pierluigi Paganini October 21, 2023

Okta revealed that threat actors breached its support case management system and stole sensitive data that can be used in future attacks.

Okta says that threat actors broke into its support case management system and stole authentication data, including cookies and session tokens, that can be abused in future attacks to impersonate valide users.

Okta asks customers to upload an HTTP Archive (HAR) file in order to support them in solving their problems and replicating browser activity. HAR files can also contain sensitive data, including authentication information. 

“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.” reads data breach notification published by the company.

According to the advisory published by the company, Okta Security has identified adversarial activity abusing access to a stolen credential to gain access Okta’s support case management system.

The attackers gained access to files uploaded by certain Okta customers as part of some recent support cases.

The company pointed out that the breached system is separate from the production Okta service, which was not impacted. The company states that the Auth0/CIC case management system is not impacted and it has already notified all impacted customers. 

Okta worked with impacted customers to investigate the security breach, it also announced it has taken measures to protect them. The company revoked embedded session tokens and recommended sanitizing all credentials and cookies/session tokens within a HAR file before sharing it. 

The advisory includes a list of suspicious IP addresses that customers can use to detect potentially malicious activity.

“We recommend referring to our previously published advice on how to search System Log for any given suspicious session, user or IP. Please note that the majority of the indicators are commercial VPN nodes according to our enrichment information.” concludes the advisory.

In earlies September, Okta warned customers of social engineering attacks carried out in recent weeks by threat actors to obtain elevated administrator permissions. The attacks targeted IT service desk staff to trick them into resetting all multi-factor authentication (MFA) factors enrolled by highly privileged users. The company did not attribute the attack to a specific threat actor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Okta)