Okta’s shared login access system attacked

Okta has sounded alarms over attackers targeting its cross-origin authentication feature in Customer Identity Cloud (CIC), the company‘s management and authentication service.

Major security technology provider Okta has warned users that malicious actors are actively attempting credential-stuffing attacks against CIC.

“We observed that the endpoints used to support the cross-origin authentication feature are being attacked via credential stuffing for a number of our customers,” Okta said in an advisory.

During credential stuffing attacks, threat actors attempt to access online services using lists of usernames and passwords obtained in past data breaches, often unrelated to the service they’re trying to breach. Attackers bank on people reusing usernames and passwords across different accounts.

According to Okta, the company noticed the first whiffs of suspicious activity on April 15th. While not all users might be affected, Okta advised security teams to review fcoa, scoa and pwd_leak log events.

“If your tenant does not use cross-origin authentication, but scoa or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack,” the company said, adding recommendations on how to best protect against such attacks.

Last November, Okta experienced its support system’s data breach with attackers stealing data on all Okta customer support users.

According to David Bradbury, the company’s chief security officer (CSO), the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environment.

Okta provides security technology for businesses, governments, and other organizations. Some of the largest Okta customers are Zoom, Sonos, Bain & Company, T-Mobile, Hewlett Packard and others.