Okta breach: 134 customers exposed in October support system hack

Okta says attackers who breached its customer support system last month gained access to files belonging to 134 customers, five of them later being targeted in session hijacking attacks with the help of stolen session tokens.

"From September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta's customer support system associated with 134 Okta customers, or less than 1% of Okta customers," Okta revealed.

"Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event."

The three Okta customers that already disclosed they were targeted due to the company's October security breach are 1Password, BeyondTrust, and Cloudflare. They all notified Okta of suspicious activity after detecting unauthorized attempts to log into in-house Okta administrator accounts. 

Despite being alerted about session hijacking attempts on September 29, Okta took over two weeks to officially confirm the breach in their support system after multiple meetings with the three affected customers.

To breach Okta's support system, the threat actors used credentials for a support service account stolen from an employee's personal Google account after they logged into their personal Google profile while using an Okta-managed laptop.

While Okta didn't share how the attackers stole the service account credentials, the company said that "the most likely avenue for exposure of this credential is the compromise of the employee's personal Google account or personal device."

In response to the breach, Okta took multiple measures to prevent similar incidents in the future, including disabling the compromised service account, blocking the use of personal Google profiles with Google Chrome on Okta-managed devices, deploying additional detection and monitoring rules for its customer support system, and binding Okta administrator session tokens based on network location.

"We have notified all customers of our findings and have completed remediations to protect all our customers. We apologize to all our customers that trust Okta as their identity provider," Okta told BleepingComputer after the article was published.

Multiple hits over the last two years

Earlier this week, Okta warned nearly 5,000 current and former employees that their personal information was exposed after its healthcare coverage provider, Rightway Healthcare, was breached on September 23.

Sensitive information exposed in this third-party breach includes employees' full names, their social security numbers (SSNs), and Health or Medical Insurance plan numbers.

Over the last two years, Okta has experienced several other breaches due to credential theft and social engineering attacks.

In December 2022, Okta acknowledged a security breach where hackers accessed confidential source code information stored within its private GitHub repositories. 

The Lapsus$ extortion group had previously claimed a similar hack in March 2022, an incident later verified by Okta. The breach affected approximately 2.5% of the company's customer base.

Okta subsidiary Auth0 also disclosed that the contents of some older source code repositories were stolen by unknown attackers using an unknown method.

Update November 03, 10:45 EDT: Added statement from Okta.