Security Breach at Okta: Incident Highlights Need for Enhanced Protocols

Kamso Oguejiofor Kamso Oguejiofor Writer

In a recently disclosed security incident, 1Password detected suspicious activity on its Okta instance related to Okta’s Support System incident. On September 29, 2023, a member of Okta’s IT team received a suspicious email indicating they had initiated a report of Okta admin accounts — an action they hadn’t performed. Alarmed, they alerted the company’s security incident response team.

“Preliminary investigations revealed activity in our Okta environment was sourced by a suspicious IP address and was later confirmed that a threat actor had accessed our Okta tenant with administrative privileges,” 1Passwsord’s security incident report read.

This illicit activity shares resemblances to a known cyber attack pattern wherein attackers compromise super admin accounts to tamper with authentication flows, impersonating users of the affected organization.

Notably, the attacker’s initial intent appeared to be information reconnaissance, possibly preparing for a more sophisticated assault. As such, there’s “no evidence that proves the actor accessed any systems outside of Okta.”

According to the report, the attacker was able to access Okta’s administrative portal using a session initiated by the IT team member to create an HAR file (a record of all traffic between a browser and Okta servers). The attacker attempted various actions, including the activation of an Identity Provider (IDP) and requesting an administrative users report, which led to the email notification to the IT team member.

“The HAR file was created on the team member’s macOS laptop and uploaded via hotel provided WiFi, as this event occurred at the end of a company event,” the report read. “Based on an analysis of how the file was created and uploaded, Okta’s use of TLS and HSTS, and the prior use of the same browser to access Okta, it is believed that there was no window in which this data could have been exposed to the WiFi network, or otherwise subject to interception.”

In response to the breach, extensive security updates have been initiated, including denying logins from non-Okta IDPs, stricter Multi-Factor Authentication (MFA) rules for administrative users, and reduced session times.

About the Author

About the Author

Kamso Oguejiofor is a former Content Writer at SafetyDetectives. He has over 2 years of experience writing and editing topics about cybersecurity, network security, fintech, and information security. He has also worked as a freelance writer for tech, health, beauty, fitness, and gaming publications, and he has experience in SEO writing, product descriptions/reviews, and news stories. When he’s not studying or writing, he likes to play basketball, work out, and binge watch anime and drama series.

Leave a Comment