The identity and authentication management company Okta disclosed on Friday that 134 of its 18,400 clients were affected by the most recent hack of its support case management system. Between September 28 and October 17, 2023, there was a compromise that gave an unauthorized intruder access to HAR files containing session tokens in preparation for possible session hijacking attacks.
The threat actor used these session tokens, according to David Bradbury, Chief Security Officer of Okta, to take over five customers’ authentic Okta sessions, including 1Password, BeyondTrust, and Cloudflare. On September 29, 1Password was the first to identify unusual activity. Two other anonymous customers were later discovered on October 12 and October 18.
On October 20, Okta formally announced the security problem. They attributed the breach to the threat actor using a stolen credential to get access to Okta’s case management system for support.
The business has recently released further details on the mechanics of the breach. It was discovered that the improper usage of a service account that was already kept in the system allowed unauthorized access to Okta’s customer care system. This service account had access to customer support case viewing and updating capabilities.
The login and password for the service account were found to have been saved in an employee’s personal Google account, according to an additional inquiry. The worker had used their laptop, which was managed by Okta, to access their account through the Chrome web browser.
According to Okta’s Chief Security Officer, David Bradbury, a breach of an employee’s personal Google account or personal device was the most likely way for the credential to be exposed. As a result, Okta terminated the hacked service account and revoked the session tokens that were included in the HAR files that the impacted clients shared.
As a response to the security event, Okta improved their product to reduce the possibility of Okta administrators being the target of session token theft by introducing session token binding depending on network location. This functionality is available to clients in the early access portion of the Okta admin portal and requires Okta administrators to re-authenticate in the event of a network change.
This discovery comes after Okta recently disclosed that on September 23, a breach of its healthcare coverage vendor, Rightway Healthcare, resulted in the exposure of 4,961 present and past employees’ personal information.