A new report on the Okta security breach from late September to mid-October reveals that 134 of the company’s 18,400 clients were impacted, but that only five instances of successful session hijacking were logged.
The Okta security breach was first disclosed on October 20. Several of its clients, including 1Password and Cloudflare, had already revealed intrusion attempts tied to the incident. Identity management firm BeyondTrust is also among the small group that experienced breaches.
Okta security breach linked to saved Google password on Okta-managed employee laptop
The final report on the Okta security breach indicates that the attackers were able to access HAR files containing session tokens of 134 customers, but it appears they were very selective in which they chose to pursue follow-up attacks on (going for Cloudflare and two major identity management services along with two other unnamed customers). The 134 impacted customers were said to have had “at least one file” accessed by the attackers, however, likely support files uploaded to Okta customer service.
The source of the Okta security breach appears to be a company employee’s Okta-managed laptop. The employee had stored their Google password in a Chrome browser on the laptop used to access both the Okta environment and their personal account; likely either the personal Google account or the device itself was compromised by the attackers.
The report also provides a clearer timeline for the Okta security breach. The first tip-off was a report from 1Password of suspicious activity on September 29, roughly a day after the breach is thought to have begun. Okta Security commenced an investigation immediately, with multiple meetings with 1Password taking place up to October 2. During this time, BeyondTrust also stepped forward to report similar suspicious activity.
Okta’s remediation of the issue has included blocking employees from accessing personal Google profiles with Chrome on managed devices, adding more monitoring to the customer support system, and binding Okta administrator session tokens based on network location (requiring administrators to re-authenticate if a change is detected).
Okta employee records stolen in separate breach
While the overall impact of the Okta security breach is thought to be relatively minimal, the company is dealing with another recent breach at a third-party contractor that led to the theft of thousands of employee records.
In early November, some company employees received notifications about this second Okta security breach. A third-party vendor called Rightway Healthcare was broken into on September 23, with Okta not receiving notification of the breach until October 12. About 5,000 health-related records belonging to Okta employees and their families were accessed, with all of the records dated from April 2019 through the end of 2020. This included highly sensitive data, such as Social Security numbers and insurance plan information.
The company has now had something of a string of security incidents over the past two years, though none have resulted in any massive data leaks as of yet. Okta had source code stolen from its private Github repositories late last year, only a few months after its subsidiary Auth0 experienced a similar breach of “older” code repositories. It was also breached by the Lapsus$ criminal hacking group in January of 2022, an incident that reportedly impacted about 2.5% of its customer base but that it took substantial heat for due to delaying reporting of it until well into March.
The HAR files that were taken in the more recent Okta security breach are essentially ZIP archives of customer HTML files and activity that troubleshooters can use to recreate the steps and circumstances that led to a technical issue. These archives can sometimes contain user cookies or session tokens that provide an attacker with further access to their systems, something that the hackers in this case appeared to be combing for (and the likely reason why relatively few Okta clients ended up reporting follow-on breaches).
Cloudflare responded to their incident by introducing a HAR sanitizer (free to the general public) that will strip out these session elements that can potentially authenticate an attacker; Beyond Identity has since created a similar tool meant specifically for Okta customers.
Anurag Gurtu, Chief Product Officer at StrikeReady, adds: “The recent security breach at Okta serves as a stark reminder of the potential vulnerabilities that can arise from seemingly innocuous practices, like using personal accounts on company devices. This incident underscores the critical need for organizations to reinforce their cybersecurity policies and ensure that employees are fully aware of the risks associated with mixing personal and professional digital activities. It’s also a call to action for companies to continuously monitor and manage access privileges, and to deploy multi-layered security measures that can detect and mitigate unauthorized access promptly. Effective cybersecurity is not just about having the right tools; it’s about instilling the right discipline and awareness at every level of the organization. As we assist our clients in navigating their cybersecurity landscape, incidents like these are invaluable learning opportunities to fortify their defenses and prepare for the inevitability of human error.”
Though it is not owed to a particular security failing at Okta, hackers have been highly active in targeting the company’s clients with phishing attempts in the latter half of 2023. The attempts are likely due more to the ubiquity of Okta use at large and prestigious companies rather than seeing the service as particularly vulnerable, but nevertheless organizations need to be on the lookout for attempts to get IT service desks to reset the credentials of “superuser” admin accounts. The hackers tend to target a unique Okta feature called “Inbound Federation” that is generally only available to the highest-level admins in organizations that provision sets of apps by division; Okta has issued extensive advice in securing this feature and the sorts of highly privileged accounts that generally have access to it.
