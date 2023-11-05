November 5, 2023
Okta’s recent customer support data breach affected 134 customers


Identity and authentication management provider Okta revealed on Friday that a recent support case management system breach affected 134 of its 18,400 customers.

It further mentions that the unauthorized intruder gained access to its systems from September 28 to October 17, 2023, and ultimately gained access to HAR files containing session tokens, which can be used for session hijacking attacks.

“The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers,” said David Bradbury, Okta’s chief security officer.

Three of those affected include 1Password, BeyondTrust, and Cloudflare. 1Password was the first company to report suspicious activity on September 29. Two other unidentified customers were identified on 12 October and 18 October.

Okta formally disclosed the security incident on October 20, saying that a threat actor leveraged access to stolen credentials to access Okta’s support case management system.

Now, the company has shared some more details on how this happened.

It said access to Okta’s customer support system was misused by a service account stored in the system, which had privileges to view and update customer support cases.

Further investigation revealed that the service account username and password were saved in an employee’s personal Google account and that the person had signed in to his personal account on the Chrome web browser of his Okta-managed laptop.

“The most likely way for these credentials to be exposed is through the compromise of an employee’s personal Google account or personal device,” Bradbury said.

Okta has since revoked the session tokens embedded in HAR files shared by affected customers and disabled the compromised service accounts.

It also blocked the use of personal Google profiles within enterprise versions of Google Chrome, preventing its employees from signing in to their personal accounts on Okta-managed laptops.

“Okta has released session token binding based on network location as a product enhancement to address the threat of session token theft against Okta administrators,” Bradbury said.

“Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the Early Access section of the Okta Admin portal.”

The development comes days after Okta disclosed that the personal information of 4,961 current and former employees was exposed following a breach at its healthcare coverage vendor, Rightway Healthcare, on September 23, 2023. The compromised data included names, Social Security numbers, and health or medical insurance. Plans.

