Okta’s October Support System Breach Impacted 134 Customers

Okta, identity and access management solution provider, revealed last week that the security breach of October had affected 134 of its customers. Amongst them, 5 later suffered session hijacking attacks, due to stolen session tokens.

In the said post, the company revealed that between September 28, to October 17, 2023, an unknown attacker had gained access to files inside its customer support system. ‘’Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,’’ the post revealed.

‘’The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event״, CSO David Bradbury explained.

The 3 Okta customers that had reported suspicious activity to it include 1Password, BeyondTrust, and Cloudflare. After being notified, Okta launched an investigation which revealed that service account credentials stored in the system itself, was leveraged to view and update customer support cases.

“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury stated. ‘’The username and password of the service account had been saved into the employee’s personal Google account,’’ he continued.

Although details were not shared about how the service account credentials were stolen by the threat actor, the company believes that either the employee’s personal device or Google account was compromised.

Since the incident, Okta has taken various remediation measures, including:

Disabling the compromised service account in the support system.
Blocking the use of personal Google profiles with Google Chrome on Okta-managed devices.
Enhancing customer support system monitoring by implementing additional detection and monitoring rules.
The company has also introduced session token binding based on network location to prevent the risk of session token theft.