Okta customer support system breach impacted 134 customers

Threat actors who breached the Okta customer support system also gained access to files belonging to 134 customers.

Threat actors who breached the Okta customer support system in October gained access to files belonging to 134 customers, the company revealed.

Some of the files accessed by the attackers are HAR files that contained session tokens. According to the company, the threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers.

In October, the Cloud identity and access management solutions provider said that threat actors broke into its support case management system and stole authentication data, including cookies and session tokens, that can be abused in future attacks to impersonate valid users.

Okta asks customers to upload an HTTP Archive (HAR) file in order to support them in solving their problems and replicating browser activity. HAR files can also contain sensitive data, including authentication information.

According to the advisory published by the company, Okta Security has identified adversarial activity abusing access to a stolen credential to gain access Okta’s support case management system.

The attackers gained access to files uploaded by certain Okta customers as part of some recent support cases.

“On Thursday, October 19, Okta advised customers of a security incident. Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers.” reads the post published by the company. “Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event.”

The three customers who shared their own responses to the event are Cloudflare, 1Password, and BeyondTrust.

The attackers gained access to Okta’s customer support system by leveraging a service account stored in the system itself. The service account was granted permissions to view and update customer support cases. The security team at the company identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop.

“The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.” continues the post.

Okta disabled the compromised service account and blocked the use of personal Google profiles with Google Chrome on Okta-managed devices. The company also employed additional detection and monitoring rules for the customer support system and opted to bind Okta administrator session tokens based on network location (Complete).

Okta this week warned nearly 5,000 employees that their personal information was exposed due to a data breach suffered by the third-party vendor Rightway Healthcare.

In early September, Okta warned customers of social engineering attacks carried out in recent weeks by threat actors to obtain elevated administrator permissions. The attacks targeted IT service desk staff to trick them into resetting all multi-factor authentication (MFA) factors enrolled by highly privileged users. The company did not attribute the attack to a specific threat actor.

In December 2022, the American identity and access management giant revealed that its private GitHub repositories were hacked.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)