Okta, a prominent identity and access management (IAM) firm, has verified that its customer support system was compromised by threat actors. The breach resulted in the theft of files related to 134 of its clients, constituting less than 1% of Okta's total customer base. The cybercriminals subsequently used this stolen data to target five specific customers: BeyondTrust, 1Password, and Cloudflare among them.
The stolen files were HAR files containing session tokens, as explained by Okta's chief security officer, David Bradbury, in a comprehensive blog post discussing the incident. The breach was traced back to an Okta employee, whose credentials were compromised on a personal device, likely paving the way for the initial breach. Bradbury stated, 'During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account.'
Okta's investigation timeline indicates that 1Password was the first customer to report suspicious activity on September 29. By October 2, BeyondTrust had also reported a similar issue. Using these indicators of compromise and associated IP addresses, Bradbury's team was able to identify other targeted customers, including Cloudflare. All compromised session tokens found in the stolen HAR files have since been invalidated.
In response to the breach, Okta has implemented measures to prevent similar incidents in the future. These include blocking any future Google Chrome sign-ins on Okta-managed laptops using a personal Google account. Additionally, Okta has introduced a feature that ties Okta admin tokens to network location data. Bradbury added, 'Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change.'
This breach is the latest in a series of cybersecurity incidents that have plagued Okta, including a previous breach involving MGM Resorts. More recently, Okta's employee data was compromised through a third-party healthcare vendor.