Okta’s support system breached, customer caution advised

Updated on: 15 November 2023

Ernestas Naprys
Senior Journalist

okta-secure-okta — Image by Shutterstock.

Major security technology provider Okta has been hit by a cyberattack, with hackers acquiring authentication tokens and accessing the firm’s support system.

In its public statement, Okta said that hackers stole credentials to access support case management systems and could view files uploaded by certain customers as part of recent support cases.

The firm notified impacted customers and added that the compromised system is separate from the production Okta service, which is “fully operational and has not been impacted,” as well as the Auth0/CIC case management system.

The affected system stored customer HTTP Archive (HAR) files, which are used to track information about web browsers and website interactions. Useful for debugging and other optimizations, these files contain sensitive data that include cookies, authentication tokens, personal information, URLs, IP addresses, and more.

Hackers in possession of these HAR files could potentially steal credentials, hijack sessions, engage in identity theft, or even exploit financial data. Sensitive information may also be used for phishing attacks or other malicious purposes.

“Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it,” the firm said in its public statement.

Okta is an identity and access management company providing security technology for business, government, and other organizations. Some of the largest Okta customers are Zoom, Sonos, Bain & Company, T-Mobile, Hewlett Packard and others.

The breach was announced by the IT service management company Cloudflare, which detected unauthorized access to their Okta instance on October 18th. Threat actors leveraged a compromised Okta authentication token to access Cloudlflare’s Okta instance.

twitter

This breach was not the first major cyber incident in Okta’s systems. Back in December 2022, Okta had its private GitHub code repositories hacked. Cloudflare said that this is the second time it has been impacted by a breach of Okta’s systems.

Cloudflare released separate recommendations for Okta customers, which include enabling hardware multi-factor authentication for all user accounts – as passwords alone do not provide sufficient protection – and monitoring and investigating all suspicious events.

“We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response,” Cloudflare stated.

Security firm BeyondTrust said that its security team detected and remediated an attack on an in-house Okta administrator account on October 2nd. No users or infrastructure were affected. Despite reporting on the same day, it took Okta until October 19th to acknowledge the issue.

Okta's share price fell 11% after the announcement.