Identity management platform Okta, on October 20th 2023, said it had suffered another breach in its customer support system.
As a company that deals with access and authentication services, when a breach like this happens this also brings along risks to other organizations.
Okta confirmed that “certain Okta customers”were affected.
They told WIRED that it notified “around 1%” of its 18,400 customers that they had been impacted by this breach.
1Password, a password and Okta customer observed this week that on September 29th 2023 it had notified Okta of suspicious activity which was ultimately tied to the support system incident.
Identity and access management firm BeyondTrust said last week that it had flagged suspicious behaviour in its Okta administrator account and notified the company on October 2nd 2023.
Cloudflare also said last week a similar incident had been detected in its Okta Systems on the 18th of October 2023 and notified the company as well.
Companies such as Okta that provide important digital services to such a large number of prominent customers are always going to be key targets to malicious threat actors as these kind of providers are a sone stop shop for hackers that want to breach numerous organizations.
Microsoft has shown that some of these attacks may lead to breaches even if the majority of them are blocked.
This breach of Okta is rather concerning as it shares a lot of the same features of the security incident the company had to deal with in 2022, where malicious threat actors compromised a sub-processor that Okta had trusted to carry out customer support work.
Adam Chester a senior security consultant at TrustedSec said the following:
“What I find suprising in this case is that, after the 2022 breach, you’d think Okta would be on high alert for any externally exposed systems of personnel who may be targeted – and yet something has happened again.”
This latest incident affected Okta’s internal customer support service and not one provided by a 3rd party partner.
In this specific incident the malicious threat actor used stolen credentials to compromise an Okta support account. They then leveraged this type of access to steal cookies and session tokens used to give customer support providers access to clients’ systems to carry out remote troubleshooting. As a result of having their hands on the access tokens the attackers could then compromise Okta customer accounts directly.
1Password, BeyondTrust, and Cloudflare all managed to detect and block the intrusion attempts before any of their own customers were affected, but they stressed the fact that they notified Okta about the situation prior to Okta warning them, and in some cases weeks before they publicly disclosed the incident.
Cloudflare engineers wrote:
“This is the second time Cloudflare has been impacted by a breach of Okta’s Systems.”
The engineers went on to share a list of recommendations on how the security posture can be improved in Okta.
“Take any report of compromise seriously and act immediately to limit the damage. Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them. Require hardware keys to protect all systems, including 3rd party support providers.”
Cloudflare engineers added that they view taking protective steps like these as “table stakes” for such a company as Okta since it provides crucial security services to so many organizations.
WIRED reached out to Okta with a series of questions such as:
- What steps are Okta taking to improve customer service defences in the wake of these 2 breaches?
- Why does it appear to be a lack of urgency when the company gets reports of potential incidents.
The company declined to comment but a spokesperson said it would share more information soon in regards to these subjects.
Evan Johnson, cofounder of RunReveal, which develops a system visibility and incident detection tool has said the following:
“I really want to know what technical controls Okta had implemented following the 2022 breach, and why this time things will be different. My hunch is they did not roll out hardware security keys, or didn’t roll them out for their contractors doing support.”
Former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, Jake Williams, emphasizes the following:
“The issue is bigger than Okta.”
He notes that software supply chain attacks and the volume of hacks businesses must protect against is voluminous.
He also says:
“It’s unfortunately common for service providers of any size to have trouble believing they are the source of an incident until definitive proof is offered.”
Williams further adds:
“There’s a pattern here with Okta, and it involves outsourced support.”
He further adds that one of the remediations that Okta suggested to its clients as a result of this incident is to carefully remove support session tokens that could be compromised from troubleshooting data. This is not realistic.
“Okta’s suggestion that somehow the customer must be responsible for stripping session tokens from the files they specifically request for troubleshooting purposes is absurd, that is like handing a knife to a toddler and then blaming the toddler for bleeding.”