Okta has been weathering sporadic security issues for over a year now, and a new one has cropped up as the company has disclosed exposure of customer files uploaded to the Okta support system. The security breach took place near the start of October and the window may have been open for most of the first half of the month.
The breach report originates from BeyondTrust, a service provider for Okta that says it noticed the intrusion within half an hour of it happening (as the hacker tried to leverage it to gain administrator access to their own systems, falling short due to the company’s internal security policies). BeyondTrust reports that the attacker captured a session cookie that was uploaded to the Okta support environment, providing it with administrator-level access to downstream customer environments.
Okta security breach: Support files exposed, attackers may have breached customer accounts
The breach window runs from October 2 to somewhere around October 13-19, going by information provided by BeyondTrust. The company notified the Okta support desk shortly after it began, then requested an escalation to Okta security the following day (October 3) after an insufficient response. It was not until October 11 that BeyondTrust reports holding a two-day series of meetings with Okta security over Zoom, finally ending with an acknowledgement of a security breach (that was disclosed to the public on October 20).
It should be noted that the Okta support environment is segmented, and the case management system is the only part that was impacted in this security breach (a separate case management system for Auth0/CIC and its production service are not known to be impacted). However, at minimum, customers may have had files they uploaded to Okta support exposed to the hackers.
As BeyondTrust notes, the attackers also attempted to probe further into customer environments; Okta has not said how many were compromised but characterized it as a “very small number” and says it has contacted each individually at this point. Thus far, the only big name to report a security breach is Cloudflare, which said that it saw an attempt on its environment from a rogue Okta support account on October 18 that compromised two employee accounts but caused only “minimal damage.”
BeyondTrust provides blueprint for stopping similar future breaches
BeyondTrust’s response demonstrates how a client can shut down a rogue administrator account coming from the Okta support environment, but it involves being on top of custom policies and quickly noticing anomalous behavior.
The security firm implemented a custom policy configuration for admin console access that, among other things, required Okta Verify to be present on a managed device. This is not a complete shield as the attacker was able to instead leverage the stolen cookie session to authenticate admin API actions, but this was limited to creating a user account meant for backdoor access that was quickly noticed and disabled by security staff before the security breach could move any further forward.
Other suggestions from the security firm include using Okta global session policies to require users to have MFA enabled for each login, and shortening Okta session length to more quickly neutralize a stolen cookie.