December 28, 2024
Okta's Support System Breach Exposes Customer Data to Unidentified Threat Actors
Identity services provider Okta on Friday disclosed a new security incident that allowed unidentified threat actors to leverage stolen credentials to access its support case management system. "The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases," David Bradbury, Okta's chief security officer, said. "It should be noted that the Okta

Oct 21, 2023NewsroomData Breach / Cyber Attack

Identity services provider Okta on Friday disclosed a new security incident that allowed unidentified threat actors to leverage stolen credentials to access its support case management system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” David Bradbury, Okta’s chief security officer, said. “It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted.”

The company also emphasized that its Auth0/CIC case management system was not impacted by the breach, noting it has directly notified customers who have been affected.

However, it said that the customer support system is also used to upload HTTP Archive (HAR) files to replicate end user or administrator errors for troubleshooting purposes.

“HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users,” Okta warned.

It further said it worked with impacted customers to ensure that the embedded session tokens were revoked to prevent their abuse.

Okta did not disclose the scale of the attack, when the incident took place, and when it detected the unauthorized access. As of

BeyondTrust said it notified Okta of the breach on October 2, 2023, but the attack on Cloudflare suggests that the adversary had access to their support systems at least until October 18, 2023.

The identity management services firm said its Okta administrator had uploaded a HAR file to the system on October 2 to resolve a support issue, and that it detected suspicious activity involving the session cookie within 30 minutes of sharing the file. The attempted attacks against BeyondTrust were ultimately unsuccessful.

“BeyondTrust immediately detected and remediated the attack through its own identity tools, Identity Security Insights, resulting in no impact or exposure to BeyondTrust’s infrastructure or to its customers,” a spokesperson for the company told The Hacker News.

The development is the latest in a long list of security mishaps that have singled out Okta over the past few years. The company has become a high-value target for hacking crews for the fact that its single sign-on (SSO) services are used by some of the largest companies in the world.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.