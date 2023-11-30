When KrebsOnSecurity reported on October 20, 2023 that the identity and authentication giant okta After suffering a breach in its customer support department, Okta said that the intrusion allowed hackers to steal sensitive data from less than one percent of its 18,000+ customers. But today, Okta revised that impact statement, saying that the attackers also stole the names and email addresses of nearly all of its customer support users.

Okta acknowledged last month that for several weeks starting in late September 2023, intruders had access to its customer support case management system. That access allowed hackers to steal authentication tokens from some Okta customers, which the attackers could use to make changes to customer accounts, such as adding or modifying authorized users.

In its initial incident report about the breach, Okta said that hackers gained unauthorized access to files inside Okta’s customer support system belonging to 134 Okta customers, or less than 1% of Okta’s customer base.

But in an updated statement published this morning, Okta said it has determined that the intruders also stole the names and email addresses of all Okta customer support system users.

Okta’s advisory states, “All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are affected except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system which is not accessed by the threat actor). “The Auth0/CIC support case management system was also not impacted by this incident.”

Okta said that for about 97 percent of users, the only contact information exposed was full name and email address. This means that approximately three percent of Okta customer support accounts had one or more of the following data fields exposed (in addition to email address and name): Last login; User name; phone number; SAML Federation ID; company’s name; job role; user type; Date of last password change or reset.

Okta notes that a large number of the exposed accounts belong to Okta administrators – IT people responsible for integrating Okta’s authentication technology inside customer environments – and that these individuals should be alert for targeted phishing attacks.

“Many users of the customer support system are Okta administrators,” Okta explained. “It is important that these users have multi-factor authentication (MFA) enrolled, not only to protect the customer support system, but also to secure access to their Okta admin console.”

While it may seem completely counterintuitive that some companies allow their IT staff to operate a company-wide authentication system using an Okta administrator account that is not protected by MFA, Okta said Six percent of its customers (over 1,000) engaged in this dangerous practice.

In previous disclosures on November 3, Okta accused an employee of intrusion who had saved the credentials of a service account in Okta’s customer support infrastructure to his personal Google account, and said it was possible that the employee’s personal device Those credentials may have been stolen while using. The same Google account was compromised.

Unlike standard user accounts, which are accessed by humans, service accounts are mostly reserved for automating machine-to-machine tasks, such as performing data backups or antivirus scans at a particular time every night. For this reason, they cannot be locked with multifactor authentication like user accounts.

Dan Goodin at Ars Technica believes this explains why MFA was not set up on the compromised Okta service account. But as they rightly point out, if a breach by a single employee leads to a breach in your network, you’re doing it wrong.

“Okta should have put in place access controls beyond simple passwords to limit who or what can log into a service account,” Goodin wrote on Nov. 4. “One way to do this is to impose a limit or conditions on the IP.” Addresses that can be added. The second is to regularly rotate the access tokens used to authenticate service accounts. And, of course, it should have been impossible for employees to log into personal accounts on the work machine. These and other precautions are the responsibility of Okta’s senior people.

Goodin suggested that people who want a more in-depth look at the different methods for securing service accounts should read this thread on Mastodon.

“A fair number of the contributions come from security professionals with extensive experience working in sensitive cloud environments,” Goodin wrote.

Source: krebsonsecurity.com