Understanding the Latest Okta Breach

Identity management provider Okta announced a security incident in October 2023, its second high-profile incident that has occurred over the past two years. With the increasing rate of identity-based attacks, it’s now more important than ever to proactively secure your digital assets. 

Here’s a comprehensive breakdown of the incident and a set of guidelines that your business can use to shore up your cybersecurity strategy.

Decoding the Okta Breach

Okta recently disclosed that its company infrastructure was compromised through stolen credentials to its support case management system. According to the company’s Chief Security Officer, the stolen credentials allowed for threat actors to access HTTP Archive (HAR) files, which can hold sensitive data like session tokens and cookies. This data can then be exploited to hijack accounts. 

A different identity management firm, BeyondTrust, discovered the breach in early October after thwarting an unauthorized login attempt on their own Okta account. According to BeyondTrust, this attempt involved a cookie stolen from Okta’s support system. Another security firm, Cloudflare, also detected malicious activity tied to the breach but was able to contain it and confirmed that no customer information or systems were affected.

In Okta’s case, only a “very small number” of their 18,000+ customers were impacted by the stolen credential theft. An independent security journalist has reported that the threat actors had direct access to Okta’s support platform, which allowed them to view support cases and files uploaded by Okta customers. It’s believed that the threat actors had access to this system for two weeks. 

Why the Okta Breach Is a Big Deal

Breaches like this are concerning because they can have a cascading effect on thousands of organizations and their processes. When a single tool controls the identity and access management of multiple businesses, breaching it can provide a treasure trove of exploitable data to attackers. This also poses potential damage and security implications for thousands of customers and businesses.

The damage is not limited to stolen data. Attackers with authentication and administrative credentials can manipulate affected systems, inject malicious code, shut down critical infrastructure, and cause a wide range of serious disruptions. 

Additionally, this is not the first time Okta has had a serious security incident. In January 2022, Okta detected an unsuccessful attempt to compromise an account belonging to a customer support engineer working for a third-party provider. LAPSUS$, the threat group reportedly behind the breach, ended up impacting 366 Okta customers. 

What Can My Business Do? 

These breaches have had an extremely limited impact on Okta’s product, which is held in high regard by our team and the entire cybersecurity industry. However, Okta is a popular target for threat actors given the company’s widespread customer base. While Okta said it has notified all impacted customers, the incident can serve as an inflection point to review key aspects of your organization’s cybersecurity policy. Here are some actionable tips:

• Restrict Access to Admin Consoles: Limit access to admin consoles for operationally critical software, and audit user access regularly. This will reduce the likelihood of unauthorized access and the potential associated risks from threat actors entering your network. Each user should only have the access privileges necessary to perform their job effectively.  
• Implement Multi-Factor Authentication (MFA): Using MFA at every sign-in can be an effective way to enhance your system security and deter malicious access attempts.

If your organization’s IT operations are more advanced, we suggest the following: 

• Regulate Session Duration and Invalidate Session Cookies: Cookies often hold sensitive information, making them desirable targets for attackers. Session cookies should expire or be immediately invalidated under certain conditions to help prevent sessions from being hijacked or used maliciously. Always invalidate the session cookie when a user (especially an administrator) logs out of a system. If a session has been inactive for a certain period of time, it’s good practice to automatically invalidate the session to prevent unauthorized use in cases where a user might have left their computer unattended without logging out.
• Sanitize HAR Files: When sharing HAR files for diagnostic purposes or issue tracking (e.g., with tech support or developers), it’s critical to sanitize them first to prevent sensitive data exposure. Ensure that all the sensitive data in the files, such as account details, session tokens, or other personally identifiable information (PII), has been removed before sharing. Google has a free tool that organizations can use to sanitize HAR files.

If your organization needs further technical details from this Okta breach, the company has listed indicators of compromise (IoC) on its website. 

If you are an At-Bay broker or policyholder with questions or concerns regarding the Okta breach, please contact our Security team at security@at-bay.com.