An update from Okta on its October customer support security breach indicates that the damage is worse than initially expected, with all of the recent users of its Help Center service now being told that the attackers likely stole their uploaded files.
In addition, the hackers were able to access a greater range of internal reports and support cases than was initially reported. Okta says the main takeaway from this is that the contact information of any certified users that have used Help Center services has also likely been compromised.
Initial customer service breach report claimed only 134 customers had session tokens stolen
The initial security breach notification from the company indicated that relatively few of its clients (just about 1%) had to be concerned about the HAR files used for IT troubleshooting being stolen. These files, at least in some cases, contained session tokens and cookies that the threat actor could use to gain access to client systems. A technician at Okta would use HAR files to recreate the circumstances in which a client may have had a login issue or some other technical problem in connecting to the service.
Okta has now revised this to advise all of its customers that contacted the Help Center for troubleshooting that they may have been impacted. Okta also says that the security breach of the customer support environment included reports not included in the prior assessment. One of the stolen files apparently contained a list of personal information for all of the customers that contacted the Help Center, regardless of whether or not they had a HAR file created. This includes all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers. The report includes the customer’s name and email address at minimum, but the company says that it also contained fields for physical addresses, last password change or reset, phone and mobile numbers, time zone and SAML Federation ID among other information.
Okta says that 99.6% of its customers had only their name and email address exposed in this way. However, that is a launch point for targeted phishing attacks, particularly if combined with other public or dark web information. Okta additionally advises that many of these exposed users are administrators and that 6% of them have not activated multi-factor authentication on their accounts.
Okta security breaches test customer, investor patience
This is not the only Okta security breach in recent history, but it is likely the most trying for customers. Not only due to the sudden expansion of the scope of impacted customers in this revision, but also the recent disclosure that it was caused by an employee saving their personal Google login credentials in a work device. Okta apparently did not have sufficient layers of security in place to prevent access to the customer support system with nothing more than a username and password, a considerable failing for a company that specializes in centralizing and securing client logins.
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, elaborates on why the security breach is such a major issue: “This might be the most significant intrusion of 2023. Okta’s support platform being hijacked can serve as beachhead into 1000’s of corporate and government administrative accounts thus endowing the adversary with ADMIN access/keys to the castle. I hope OKTA is taking an all hands on deck approach in responding to this intrusion which will have national security implications. I would underscore the need for them to engage with the FBI. From a response vantage they should immediately expand threat hunting, micro segmentation and apply runtime security to all production environments.”
The final total of Okta clients that contacted customer support and are potentially impacted is about 17,000. Okta has previously claimed that it has between 17,000 and about 18,000 customers in total, so the jump from about 1% to nearly 100% impacted is an almost total reversal of the initial security breach assessment.
Both customer and investor fatigue was apparent in the market immediately following the update to the customer support incident, with Okta’s stock plunging 11%. However, it has since largely rallied on the news of its third quarter earnings exceeding expectations.
Customers and investors have had to take stock of a string of Okta security breaches that now dates back to the start of 2022. In January of that year, one of the company’s support engineers had their laptop hacked. This granted the attackers, who turned out to be the Lapsus$ criminal group, the ability to reset customer passwords. The hackers used this to attack about 375 customers before their access was cut off. And in December of that year, attackers were able to worm into the company’s private GitHub repositories and access source code. This was followed by a 2023 campaign in which hackers systematically targeted service desk and customer support personnel in an attempt to get them to reset MFA for client accounts they were targeting.
Okta issued some advice to potentially impacted clients (apparently nearly all of them), starting with the use of MFA for admin access and ideally a phishing-resistant method such as FIDO2 WebAuthn or a smart card. The company also advised enabling admin session binding to require re-authentication when a new IP address makes contact, and setting admin session timeouts to the NIST recommendation of no more than 12 hours with a 15 minute idle time.