Omar Marx/SOPA Images/LightRocket via Getty Images

Identity and authentication management provider Okta on Friday published an autopsy report on a recent breach that gave hackers administrative access to the Okta accounts of some of its customers. While the postmortem emphasizes the breach involved an employee logging into a personal Google account on a work device, the biggest contributing factor was something the company underestimated: a badly configured services account.

In a post, Okta Chief Security Officer David Bradbury said the threat actor behind the attack most likely gained access to parts of his company’s customer support system by first accessing an employee’s personal device or personal Google account. Had to compromise and get it from there. The username and password for a special type of account, known as a service account, is used to connect to the support section of the Okta network. Once the threat actor had access, they could obtain administrative credentials to log into Okta accounts belonging to 1Password, BeyondTrust, Cloudflare, and other Okta customers.

passing the buck

“During our investigation into the suspicious use of this account, Okta Security discovered that an employee had signed in to his personal Google profile on the Chrome browser of his Okta-managed laptop,” Bradbury wrote. “The service account username and password were saved in the employee’s personal Google account. The most likely way for these credentials to be exposed is through the compromise of the employee’s personal Google account or personal device.”

This means that when the employee logged in to the account on Chrome while authenticating to a personal Google account, the credentials were saved to that account, presumably through Chrome’s built-in password manager. Then, after compromising the individual account or device, the threat actor obtained the credentials needed to access the Okta account.

Access to personal accounts has long been a big no-no at a company like Okta. And if that prohibition wasn’t obvious to some people before, it should be now. The employee almost certainly violated company policy, and it would not be surprising if the offense resulted in the employee being fired.

However, it would be wrong for anyone to conclude that the breach was caused by employee misconduct. It was not. Instead, the fault lies with the security people who designed the support system that was breached, specifically the way the breached service account was configured.

A service account is a type of account that exists in various operating systems and frameworks. Unlike standard user accounts, which are accessed by humans, service accounts are mostly reserved for automating machine-to-machine tasks, such as performing data backups or antivirus scans at a particular time every night. For this reason, they cannot be locked with multifactor authentication like user accounts. This explains why MFA was not set up on the account. However, the breach highlights several flaws that did not get the attention they deserved in Friday’s post.

Source: arstechnica.com