Okta Hack - October 2023

What happened?

A breach of the customer support system in late September 2023 resulted in the compromise of customer names and email addresses. The point of intrusion was due to saved credentials on a personal Google account by an Okta employee. Federal users were not impacted. This type of information can be used to phish IT administrators that manage the platform. Okta originally thought it only impacted 1% (134) of it’s customers. Come to find out every Okta customer had their name and email address compromised. Okta customers are usually people in IT so this isn’t everyone in an organization but it does put IT staff at risk of being vished or phished and having their account compromised. 3% of users also had last login; username; phone numbers; SAML federation ID; company name; job role; user type; date of last password change or reset.

Fallout

1password, Cloudflare, and BeyondTrust all announced breaches due to the Okta breach. Thankfully, the breaches were identified and mitigated early.

Links

Hackers Stole Access Tokens from Okta’s Support Unit - by Brian Krebs - October 20, 2023 - Krebs on Security

Okta: Breach Affected All Customer Support Users - by Brian Krebs - November 29, 2023 - Krebs on Security

Unauthorized Access to Okta’s Support Case Management System: Root Cause and Remediation - by David Bradbury - November 3, 2023 - Okta

October Customer Support Security Incident - Update and Recommended Actions - by David Bradbury - November 29, 2023 - Okta

Okta Hack Update Shows Challenges in Rapid Cyber Disclosures - by James Rundle, Cathering Stupp, and Kim S. Nash - November 29th, 2023 - Wall Street Journal Paywall

Okta Support System incident and 1Password - by Pedro Canahuati - October 23, 2023 - 1Password

How Cloudflare mitigate yet another Okta compromise - by Sourov Zaman, Lucase Ferreira, Kimberly Hall, and Grant Bourzikas - October 20, 2023 - Cloudflare

BeyondTrust Discovers Breach of Okta Support Unit - October 23, 2023, BeyondTrust