Identity management firm Okta support system hacked, exposing customer session tokens

Okta, an identity provider ofor businesses and organizations, reported a security breach involving one of its customer service tools. In this breach, hackers gained access to Okta's support case management system using stolen credentials. The compromised system was separate from Okta's primary client platform, which remained unaffected.

The nature of the breach allowed the attacker to view files that had been uploaded by certain Okta customers as part of recent support cases. This breach is particularly concerning because of the type of data that could have been accessed: sensitive cookies and session tokens. If valid tokens and cookies fell into the wrong hands, they could potentially be exploited for impersonation attacks, allowing unauthorized individuals to pose as valid users and gain unauthorized access to systems and resources.

As a response to the breach, Okta took several actions to address the situation:

1. Notified all customers that were affected by the cyberattack, ensuring transparency about the incident.
2. Recommended that customers thoroughly sanitize all credentials and cookies/session tokens within any files they had previously uploaded. This step aimed to minimize the risk of potential impersonation attacks using the stolen data.
3. Revoked the embedded session tokens to mitigate the impact of the breach.
4. Released a list of suspicious IP addresses abd indicators of compromise

   1. Access to Okta admin functions through proxy (isproxy: true in Okta log events)

   2. Access to Okta from IPs 202[.]59.10.100 or 23[.].105.182.19

   3. Access to Okta, especially Okta admin functions, from VPS/hosting providers. (Especially: VPS Malaysia, LeaseWeb.)

   4. Access to Okta with this user agent for an outdated version of chrome for MacOs: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.3538.77 Safari/537.36

   5. Okta account created via REST API with name svc_network_backup, or another name mimicking existing, legitimate accounts.

   6. Activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login

   7. Okta activity for a user without any clear indication that the user authenticated (e.g. a user.session.start event for that user from a similar geographic area)

   8. Admin console login attempts that are denied by policy without a subsequent successful login to admin console from the same user within an hour

This security incident caused concern even with the investors, and resulted in a significant drop of 12% in Okta's stock value, even though the primary Okta services were not affected by the breach.

Update - Okta is trying to justify a two-week delay in responding to a security breach that affected 134 customers, including notable security firms. The breach involved unauthorized access to customer support files and session token theft, which led to session hijacking for five customers. Okta traced the issue to an employee's compromised personal Google account and addressed criticism for the response time by highlighting the complexity of the investigation and subsequent improvements in logging practices.