Hacker hands at work on code showing Okta source code leak from GitHub Repositories

Okta Source Code Stolen in Raid on GitHub Repositories

Third-party authentication service provider Okta is once again in cybersecurity trouble as the company’s GitHub repositories have been hacked. There does not appear to be any impact to Okta clients, but the service source code appears to have been stolen in the breach.

Okta says platform security “not reliant” on confidentiality of its source code

An email notification sent from Okta’s Chief Security Officer (CSO) David Bradbury to a list of “security contacts” was leaked to the media, and it indicates that the Okta GitHub repositories were breached sometime in early December and that the activity indicates that service source code was stolen.

The notification also reassures these contacts that customer information and logins were not impacted, and that there was no unauthorized access to the service. When source code is stolen, the immediate concern is that the thieves will be able to scrutinize it to find vulnerabilities for future attacks; the notification also assured recipients that Okta does not rely on the confidentiality of its source code for the security of its services.

As to the scope of the source code theft, the attackers appear to have broken into Okta Workforce Identity Cloud (WIC) GitHub repositories, but not those of the Auth0 Customer Identity Cloud product. Okta has since suspended all third-party interactions with its GitHub repositories and placed temporary layers of security restriction on them as well.

The breach of the GitHub repositories has not yet been officially confirmed by Okta, but media sources such as BleepingComputer have shared screenshots of the private emails that outline the details of the attack.

Full impact of raid on GitHub repositories unknown until Okta confirms incident

It’s hard to estimate the full potential of damage caused by this breach, given that the only information available is an email that only partially reveals what source code might have been taken. While Okta says that keeping the source code away from the public is not key to keeping its services secure, code sometimes contains login information or authorization keys that few in the company are aware of. There is some reason for concern at this point as Okta had told media sources on December 21 that it would “soon” be publishing a blog post regarding the incident, but as the business day draws to a close on December 22 there is still no word from the company on its press page.

It also remains unclear for how long the attackers had access to the GitHub repositories. Okta reportedly became aware of the issue when GitHub notified them of potential suspicious activity. Okta has previously had issues with delaying reporting of a breach for an extended period of time, when it was compromised by Lapsus$ early this year.

The incident continues a tough year for cybersecurity at Okta, and one that has likely shaken customer faith in its products to at least some degree. While Auth0’s GitHub repositories were apparently not accessed in this particular breach, they were hit in September and source code was also reportedly taken in that attack (though the company says that it was an “older” version).

The attack in January involving Lapsus$ group led to compromise of the company’s administrative console, and the hackers posted screenshots that they claim contained stolen customer data. A follow-up investigation determined that information from about 2.5% of its customers, or about 375 organizations, had been taken and that the breach had originated with third-party contractor Sitel. Okta faced additional trouble from this incident as it attempted to keep it out of public view, only acknowledging it in March when Lapsus$ publicly declared responsibility and shared some of the stolen materials.

The incident highlights the increasing popularity of GitHub repositories as a primary target for hackers. This trend stretches back to 2021, and attackers are not just interested in selling and analyzing source code but also sneaking their own malicious elements and backdoors into code in development without anyone at the target organization noticing.

Matt Mullins, Senior Security Researcher for Cybrary, elaborates on this trend (and how it can be stopped): “Okta’s breach is galvanizing of the perspective that CI/CD (along with git repos for code), have become the new target upstream of organizations. Getting access to these systems gives an APT group the benefit of having “early access” to their targets and research vulnerabilities (such as obvious flaws in code), secrets (such as hardcoded creds in scripts), or misconfigurations (such as obvious anti-patterns in configurations). In general, things like MFA should really be used on as many systems as possible-including git commits and other pushes! With this setup, on almost every major action (like commits), there is less opportunity for attackers to push malicious code or backdoors, even if they have credentials. With MFA fatigue being a new factor, the more critical the application or system, the more hardened the MFA should be. OTP, Mobile push, SMS, and other weaker methods shouldn’t be used in favor of stronger authentication methods like FIDO2.”

Okta continues to be the market leader in identity management, with an estimated 37% of the market in October (after its two major 2022 breaches had already hit the news). Part of the customer loyalty may simply be the fact that after the Auth0 acquisition, there are not many alternatives that offer the same profile of products under one roof; another may be that some of the biggest competitors (most notably Microsoft Azure) have seen their own spate of vulnerabilities pop up recently.

Still, customers must be asking questions, as summarized by Craig Burland (CISO, Inversion6): “As an Okta customer, I would be worried about three things: 1) Is there a fundamental problem with how Okta is managing their environments?  2) Has the Okta platform been somehow compromised that would threaten my operation?  3) What, if anything, can I do quickly to minimize or mitigate the risk to my organization? How Okta responds to this event and reassures its customers will set the tone for 2023 and may be telling about Okta’s future as the premier provider in this space.”