Okta data breach: Everything we know so far
On Friday, October 20, identity management platform Okta revealed that cybercriminals breached its support management system gaining access to sensitive customer data and tokens.
The hackers who are yet to be identified used stolen authentication credentials to to access the Okta system through which they were able to view customer HTTP Archive files containing session tokens and cookies. They then used the extracted tokens to target Okta customers and gain access to their systems.
Okta had been notified of suspicious activity by some of its customers
Password manager 1Password, an Okta customer, says that on September 29 it detected and notified Okta of suspicious activity on its systems.
BeyondTrust, an identity and access management system, also noted suspicious activity on its Okta administrator account and alerted Okta on October 2.
Additionally, two days before the breach became public, Internet infrastructure company Cloudflare detected abnormal behavior on its Okta systems and notified the company. It’s not the first time Cloudflare has been compromised through a breach on Okta systems.
“This is the second time Cloudflare has been impacted by a breach of Okta’s systems,” a group of Cloudflare engineers wrote on Friday before sharing a list of recommendations for how Okta can improve its security posture:
“Take any report of compromise seriously and act immediately to limit damage. Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them. Require hardware keys to protect all systems, including third-party support providers.”
Implications of the attack
When an identity provider company like Okta is breached the consequences can be severe because other businesses trust them with authentication and verification. Okta is the gatekeeper for over 18,000 businesses who have trusted them with their user credentials including usernames, passwords, and session tokens.
By stealing this data, cybercriminals can easily infiltrate other systems, and unless the victim has a proper security strategy, the breach can go unnoticed for a long time – mainly because the criminals are using legitimate login credentials.
Case in point, Okta didn’t know it had been compromised until the warning alerts from its customers.
This is a huge reputation hit on the identity provider that it will struggle to come back from. It is reported that Okta's share price fell by 11% in the immediate aftermath of the incident.
It’s not the first time Okta has been breached
What’s concerning about the recent incident is that Okta suffered a similar breach in 2022 when attackers compromised a third party that the company had trusted to do customer support work.
“What I find surprising in this case is that, after the 2022 breach, you'd think Okta would be on high alert for any externally exposed systems or personnel who may be targeted—and yet something has happened again,” says Adam Chester, a senior security consultant at TrustedSec.
Okta has said that the attack did not affect its production environment, nor its Auth0/CIC system, and customers who’ve not received a notice shouldn’t be worried about a potential breach.