In October 2023, Okta, a leading provider of identity and access management (IAM) solutions, experienced a data breach affecting its customer support system. This incident raised serious concerns about the security of sensitive information entrusted to Okta by its customers and partners. This two-part blog series will explore the details of the Okta data breach, including how attackers gained initial access, the attack vectors exploited, the potential impact on affected organizations, and how having the right security tools in your arsenal can play a crucial role in swiftly detecting and mitigating data breaches in your organization.
A timeline of events
The Okta data breach began with a seemingly innocuous incident involving an employee’s personal activities on a work laptop.
Initial access
Attackers compromised an Okta employee who logged in to their personal Google profile on the Chrome browser of their Okta-managed laptop and saved their Okta service account credentials into their personal Google account. The initial compromise of their personal account likely involved phishing or another social engineering technique.
Since the employee used the compromised Google account on a work laptop, the laptop itself was infected with malware. This malware allowed attackers to gain access to Okta’s support system and exploit the unsanitized HAR files submitted by customers. Utilizing these files, the attacker extracted session tokens of Okta’s customers—1Password, BeyondTrust, Cloudflare, and two other companies not named.
With control over these sessions and admin accounts, the attacker attempted to penetrate deeper into the internal systems of these companies. However, the hacker’s efforts were largely unsuccessful, and they were promptly ejected.
As revealed in the investigation timeline shared by Okta, it was 1Password who initially alerted Okta Support to unusual activities on Sept. 29, 2023. Yet, it wasn’t until 14 days later, and following a compromise indicator from BeyondTrust, that the misuse of a service account was identified as the culprit.
Let’s take a look at the events as they unfolded.
Sept. 29, 2023
1Password, an Okta customer, first detected suspicious activity and notified Okta. Okta Security initiated an inquiry, suspecting that 1Password had probably fallen prey to a malware infection or a phishing scam.
Oct. 2, 2023
BeyondTrust identified and neutralized an identity-focused attack on an internal Okta administrator account and subsequently notified Okta Support of an indicator of compromise (i.e., IP address) associated with the event.
Oct. 11, 2023
A virtual meeting was held between BeyondTrust and the Okta security team. BeyondTrust shared findings and requested additional log data from Okta related to the support case data access.
Oct. 16–17, 2023
Utilizing the provided IP address, Okta Security pinpointed a service account linked to events previously unnoticed in the customer support system’s log records. Following this, Okta Security disabled the service account and terminated associated sessions on Oct. 17 and also session tokens embedded in the HAR files.
Oct. 19, 2023
After almost 20 days, Okta Security leadership acknowledged an internal breach to BeyondTrust, 1Password, Cloudflare, and two other unnamed companies, confirming them as being among the affected customers.
Late Oct. to Nov. 2023
Further investigations and disclosures revealed the broader scope of the breach, involving additional companies that required enhanced security measures.
Nov. 29, 2023
Okta issued additional information about the breach, confirming the extent and nature of the impact. Okta confirmed that more reports and support cases were accessed by the threat actor, which included contact details of all Okta certified users, certain Okta Customer Identity Cloud (CIC) customer contacts, and various other pieces of information including some Okta employee information. However, Okta mentioned that this contact information did not encompass user credentials or sensitive personal data.
Dec. 2023
Okta revealed that attackers had downloaded a report containing the names and email addresses of all Okta customer support system users. This information could be used for phishing attacks or other malicious purposes.
Impact of the breach
Okta reported that the threat actors gained access to files associated with 134 Okta customers, or less than 1% of its customers. Apart from this, here are some key aspects of this breach’s impact:
- Loss of customer trust and reputation: Okta, being a prominent identity and access management service provider, suffered a hit to its reputation. Trust is crucial in the cybersecurity industry, and breaches like this can lead to a loss of confidence among existing and potential customers. Following the data breach, Okta shares fell by 11%.
- Compromised customer data: The breach led to unauthorized access to sensitive customer data. For companies like 1Password, BeyondTrust, Cloudflare, and others affected, this meant potential exposure of their internal systems and user data, raising concerns about privacy and security.
- Operational disruption: For the affected customers, the breach could have led to operational disruptions. While the quick response mitigated severe consequences, the need for investigations and increased security measures may have disrupted normal business operations.
- Account takeover attempts: Stolen session tokens can be used to gain unauthorized access to customer accounts. This would allow attackers to steal confidential data, disrupt operations, or even impersonate authorized users to gain further access within organizations.
Lessons learned and best practices
The Okta data breach offers valuable lessons for organizations of all sizes.
- Implement multi-factor authentication (MFA): According to Okta’s report, the service account used by the attackers to steal session tokens was saved in the system itself. The addition of MFA as an extra layer of security to logins, even to infrequently accessed high profiles such as service accounts, makes it significantly harder for attackers to gain access with stolen credentials. Securing admin access by implementing MFA can go a long way in blocking threat actors from gaining access to sensitive data.
- Educate employees on cybersecurity awareness: The Okta data breach began by a compromised personal account. Training employees to recognize phishing attempts and social engineering tactics makes them less susceptible to such attacks.
- Enforce password policies and robust access controls: Implement strong password policies and enforce regular password changes to minimize the risk of credential compromise. Limit access to sensitive information based on the principle of least privilege and monitor user activity for anomalies.
- Employ user entity and behavior analytics (UEBA): UEBA systems focus on understanding the normal behavior of users and entities, such as devices or applications, within an organization and then identifying deviations from this norm, which could indicate a security threat. Implementing ML-based behavior analytics spots suspicious behaviors like backdoor account creation, which can go unnoticed and grant attackers prolonged access to the network.
The Okta data breach serves as a stark reminder of the perilous cyberthreat landscape and the importance of having robust security measures. Organizations must be vigilant in protecting their sensitive information and implementing strong security practices to mitigate the risk of cyberattacks.
Log360, ManageEngine’s unified SIEM solution with integrated DLP and CASB capabilities, can detect suspicious software and malware installation, remote code executions, lateral movements, and more.
Stay tuned for part two of this series, where we’ll explore the role of a security solution in promptly identifying and addressing data breaches.