Okta: Security Breach Impacted 134 Clients

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

Identity and authentication management provider Okta has released more details about its October breach.

In an official report, the company confirmed much of what was already known about the attack, including that the cybercriminals gained unauthorized access to Okta’s customer support system between Sept. 28 and Oct. 17.

The company said the recent support case management system breach affected 134 of its 18,400 customers, which amounts to “less than 1 percent of Okta customers.” It explained the cybercriminals accessed HAR (HTTP Archive) files containing session tokens (cached web session data and cookies) that can be used to impersonate valid users and hijack legitimate sessions, which appears to be what the attackers attempted to do.

The attackers then accessed the session of five Okta customers, including 1Password, BeyondTrust, and Cloudflare, with 1Password being the first company to report suspicious activity on Sept. 29. The company said at the time that the system was broken into by a malicious user who had admin privileges and that they tried to steal data on other 1P administrators, update an existing identity provider, and gain access to Okta’s IP dashboard.

Two other unnamed Okta customers were subsequently identified as being part of the breach on Oct. 12 and Oct. 18. As to how the cybercriminals gained access to Okta’s systems in the first place, the source appears to be an Okta-managed laptop belonging to an employee at the company.

“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Okta chief security officer David Bradbury said. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device,”

Okta has since removed the session tokens contained in the HAR files and deactivated the service account that was compromised.

The company is separately grappling with another breach at a third-party vendor, Rightway Healthcare, that took place earlier this month. The attacker accessed 5,000 health-related records of Okta employees and their families, including Social Security numbers and insurance plan data.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.