Okta says attackers who breached its buyer assist system final month gained entry to information belonging to 134 clients, 5 of them later being focused in session hijacking assaults with the assistance of stolen session tokens.
“From September 28, 2023 to October 17, 2023, a menace actor gained unauthorized entry to information inside Okta’s buyer assist system related to 134 Okta clients, or lower than 1% of Okta clients,” Okta revealed.
“A few of these information have been HAR information that contained session tokens which might in flip be used for session hijacking assaults. The menace actor was in a position to make use of these session tokens to hijack the professional Okta classes of 5 clients, 3 of whom have shared their very own response to this occasion.”
The three Okta clients that already disclosed they have been focused because of the firm’s October safety breach are 1Password, BeyondTrust, and Cloudflare. All of them notified Okta of suspicious exercise after detecting unauthorized makes an attempt to log into in-house Okta administrator accounts.Â
Regardless of being alerted about session hijacking makes an attempt on September 29, Okta took over two weeks to formally affirm the breach of their assist system after a number of conferences with the three affected clients.
To breach Okta’s assist system, the menace actors used credentials for a assist service account stolen from an worker’s private Google account after they logged into their private Google profile whereas utilizing an Okta-managed laptop computer.
Whereas Okta did not share how the attackers stole the service account credentials, the corporate stated that “the probably avenue for publicity of this credential is the compromise of the worker’s private Google account or private gadget.”
In response to the breach, Okta took a number of measures to forestall related incidents sooner or later, together with disabling the compromised service account, blocking using private Google profiles with Google Chrome on Okta-managed units, deploying extra detection and monitoring guidelines for its buyer assist system, and binding Okta administrator session tokens primarily based on community location.
“We’ve got notified all clients of our findings and have accomplished remediations to guard all our clients. We apologize to all our clients that belief Okta as their identification supplier,” Okta instructed BleepingComputer after the article was printed.
A number of hits over the past two years
Earlier this week, Okta warned practically 5,000 present and former workers that their private info was uncovered after its healthcare protection supplier, Rightway Healthcare, was breached on September 23.
Delicate info uncovered on this third-party breach consists of workers’ full names, their social safety numbers (SSNs), and Well being or Medical Insurance coverage plan numbers.
Over the past two years, Okta has skilled a number of different breaches resulting from credential theft and social engineering assaults.
In December 2022, Okta acknowledged a safety breach the place hackers accessed confidential supply code info saved inside its personal GitHub repositories.Â
The Lapsus$ extortion group had beforehand claimed an analogous hack in March 2022, an incident later verified by Okta. The breach affected roughly 2.5% of the corporate’s buyer base.
Okta subsidiary Auth0 additionally disclosed that the contents of some older supply code repositories have been stolen by unknown attackers utilizing an unknown technique.
Replace November 03, 10:45Â EDT: Added assertion from Okta.
