Okta [1] [2] [3] [4] [5] [6] [7], a provider of identity services [3], recently disclosed a breach in its support case management system in October 2023 [3]. This breach impacted all of Okta’s customers and resulted in the theft of customer-uploaded session tokens and personal information.
Description
The breach occurred when a threat actor used a stolen credential to access Okta’s support case management system. This allowed them to download the names and email addresses of all Okta customer support system users [3] [4] [5], as well as the full names and email addresses of 99.6% of customers [6]. In some cases, additional information such as phone numbers, usernames [6], and employee role details may have also been accessed [6].
The breach affected all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers [4] [5], with the exception of those in specific environments such as the FedRamp High and DoD IL4 environments. Reports containing contact information of Okta certified users [3] [4], some Okta Customer Identity Cloud (CIC) customers [3] [4] [6], and unspecified Okta employee information were also accessed [3] [4].
The breach took place between September 28 and October 17, 2023 [4]. However, user credentials and sensitive personal data were not compromised [4]. Okta has taken immediate action to notify all customers of potential phishing and social engineering risks and has implemented new security features on its platforms [3]. They are advising customers to use multi-factor authentication and phishing-resistant authenticators [6].
Okta has engaged a digital forensics firm to assist with the investigation and will notify individuals whose information was downloaded [3]. The identity of the threat actors behind the attack is currently unknown [2] [3] [6], but Okta has previously been targeted by a cybercrime group called Scattered Spider, known for their sophisticated social engineering attacks [3] [5].
This is not the first security incident impacting Okta [6], as the company has previously experienced source code theft and network breaches [6]. Okta has admitted to mishandling the investigation of the recent hack [2], failing to detect 99% of the stolen data. This is the fifth hack that Okta has experienced in less than two years [2].
The customer who discovered the hack was ignored for two weeks despite contacting Okta multiple times [2]. The company’s shares have dropped by 10% in premarket trading [2]. The hackers may use the stolen information to target Okta customers through phishing or social engineering [2].
The initial analysis of the breach was flawed because the hackers ran an unfiltered view of the stolen report [2]. Additional reports and support cases were also accessed by the hackers [2], which contained contact information of Okta users and some customer contacts [2]. Okta employee information was also included in the stolen data [2].
Okta recently expanded its impact assessment of the October 2023 breach [1], revealing that threat actors were able to retrieve names and email addresses of all users in Okta’s customer support system [1]. This breach has affected most customers using Okta’s Workforce Identity Cloud and Customer Identity Solution [1].
Conclusion
Okta is actively informing individuals and customers about potential phishing risks and has strengthened its security measures to counter potential targeted attacks [1]. Concerns have been raised about cybercriminal groups like Scattered Spider [1], known for using social engineering techniques and targeting identity management systems [1]. Okta’s commitment to transparency and proactive security measures highlights the need for continuous vigilance and robust defenses against sophisticated cyber threats [1].
References
[1] https://cybermaterial.com/okta-expands-breach-impact/
[2] https://securityboulevard.com/2023/11/okta-again-hacked-richixbw/
[3] https://cybersecurity-see.com/okta-reveals-extended-influence-related-to-october-2023-support-system-breach/
[4] https://thehackernews.com/2023/11/okta-discloses-additional-data-breach.html
[5] https://cybersocialhub.com/csh/okta-discloses-broader-impact-linked-to-october-2023-support-system-breach/
[6] https://techcrunch.com/2023/11/29/okta-admits-hackers-accessed-data-on-all-customers-during-recent-breach/
[7] https://www.reuters.com/technology/cybersecurity/okta-says-hackers-stole-data-all-customer-support-users-cyber-breach-2023-11-29/
