Okta Defends 2-Week Gap in Response to Identity Token Theft, Says 134 Affected Customers


Okta is defending its response to a recent security issue that alarmed several of the company’s customers, some of which are major Internet security brands.

In a new blog post On Friday, the identity management company said that from September 28 to October 17, a malicious actor “obtained unauthorized access to Okta customer support system files associated with 134 Okta customers.”

The message adds to what Okta had reported October 20in a warning that hackers used stolen Okta credentials to access files uploaded by an undisclosed number of customers.

The new blog post states that some of the files accessed were HTTP Archive (HAR) files, which track interactions between a website and a browser. These HAR files contained session tokens which could in turn be used for session hijacking attacks.

“The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 clients,” the company said, noting that three of the clients – password manager 1Password, access management company BeyondTrust and internet security company Cloudflare – have already present their own reports about what happened.

Okta later explained that the attack came from a service account in a customer support system. The service account has been granted the necessary permissions to view and update customer support cases. The investigation found that an employee “signed into his personal Google profile on his Okta-managed laptop’s Chrome browser.”

“The service account username and password had been stored in the employee’s personal Google account. The most likely route to exposing these credentials is through compromise of the employee’s personal Google account or personal device,” Okta said.

Okta provided a timeline for its response to the issue, revealing that 1Password initially contacted on September 29, but that Okta did not deactivate the compromised service account until October 17.

In addition to 1Password’s warning, BeyondTrust notified Okta of a similar issue on October 2.

In its own post about what happened, Cloudflare did not hold back his criticism how Okta handled the situation. Cloudflare said Okta should “take any reports of compromise seriously and act immediately to limit the damage.”

Cloudflare criticized Okta for allowing the hacker to remain in its systems from October 2 to 17 despite being notified by BeyondTrust. Cloudflare also called for “prompt and responsible disclosures” to customers once violations are identified.

When asked about the significant time gap, Okta security chief David Bradbury told Recorded Future News that the company began the investigation “immediately” after 1Password came forward.

“We suspected that 1Password was most likely the victim of a malware or phishing attack. These are the two most common methods that Okta Security considers related to session token theft, bad actors using malware such as RedLine Stealer, or phishing kits that use transparent proxies such as EvilProxy,” he said. -he declares.

“We met with 1Password and BeyondTrust several times during this 14-day period to attempt to identify the compromise in partnership with them. Ultimately, it took us this long to investigate because their initial findings did not allow us to investigate further.

In the blog post, Okta attributed the gap of more than two weeks to not being able to “identify suspicious downloads” in the logs.

Okta said its initial investigation focused on access to support folders, where it reviewed logs related to those folders. But the company later realized that the hacker was navigating its system in a different way, generating “a completely different log event with a different record ID.”

“On October 13, 2023, BeyondTrust provided Okta Security with a suspicious IP address attributed to the threat actor. Using this indicator, we identified additional file access events associated with the compromised account,” Okta said.

The company said it has made several changes to its logging practices to address the missteps described and a spokesperson said all customers have been informed.

Okta faced backlash last year for its handling of another data breach involving multiple customers and the company’s CSO publicly apologized for the incident.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Share This Article
Leave a comment