Everything we know so far about Okta’s data breach

Okta has revealed that threat actors breached its support management system earlier in October, gaining access to sensitive customer data and tokens that empowered further cyber attacks.

An as-yet-unidentified attacker used a stolen authentication token to access the system through which they were able to view HTTP Archive files, which contain information about how a user has interacted with a browser as well as session tokens and cookies.

Okta has not revealed the date it was originally breached, though evidence suggests that it had been compromised prior to October 2.

These files can be leveraged to impersonate legitimate users within Okta environments, and firms such as Cloudflare and BeyondTrust have submitted reports on attacks they experienced off the back of the breach.

“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” wrote David Bradbury, chief security officer at Okta.

“In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

CNBC reported Okta stock fell 11% in the immediate aftermath of the breach, as questions were raised about the precise attack chain leading to the breach and the extent to which customer data was accessed.

At time of writing, Okta has not provided exact information on the stolen credential that allowed the attackers to access its case management system. We will update this article as new information emerges.

How severe was the Okta breach?

Okta stressed that the attack affecting its support case management system has not impacted its production environment, nor its Auth0/CIC system.

"We recently notified our customers about adversarial activity we identified that leveraged access to a stolen credential to access Okta's support case management system," Okta said in a statement.

"This system is separate from the production Okta service, which is fully operational and has not been impacted. We have notified impacted customers and taken measures to protect all our customers."

The firm stated it has notified all affected parties at the time of writing, and as such customers who have not received a notice will have no reason for concern over a potential breach.

Erfan Shadabi, cyber security expert at comforte AG, told ITPro that the incident underscored the need for businesses to adopt advanced security practices.

“In the Okta case, even if the adversaries gained access to certain files uploaded by Okta's customers, tokenized data would remain secure and unbreachable. This concept extends to a wider spectrum of applications and use cases, making it a versatile and robust security strategy.”

Other experts in the field have expressed their disappointment in Okta’s handling of the breach and argued that the incident is evidence of an overreliance on outsourcing in the security community.

Which companies were affected by the Okta breach?

A number of attempted attacks on other organizations have also been linked to the breach, with stolen session tokens used to exploit Okta instances and leverage administrator controls.

Identity management firm BeyondTrust has stated that it experienced an identity-centric attack on October 2, which arose from an in-house Okta administrator account. It notified Okta immediately following the breach, and subsequently engaged in dialog with Okta to provide evidence that Okta had been compromised.

Despite this, BeyondTrust said it received “no acknowledgment” from Okta of a breach, until being notified by Okta on October 19 as part of its breach notice to customers.

BeyondTrust said its policies on admin console access were enough to stem the attack at first, but the threat actor subsequently used a stolen session cookie to carry out admin API actions.

These cannot be easily prevented using internal controls, and the threat actors exploited this to establish a backdoor user account. Upon this discovery, BeyondTrust’s security team deactivated the backdoor account. A subsequent investigation found that the hackers had been unable to escalate the attack further.

BeyondTrust was not the only company hit as a result of Okta’s breach. One day prior to Okta going public with the information, Cloudflare also reported malicious activity to Okta, which it attributed to sensitive token theft.

Cloudflare spotted an attack on its own systems on October 18, with hackers using a session token from a support ticket sent by a Cloudflare employee within Okta’s platform, which the company believes was obtained through the initial Okta breach. This was then used to compromise two of Cloudflare’s employee Okta support accounts.

Security teams at the firm were able to contain the incident before threat actors gained access to other internal systems.

At the time of the attack, Cloudflare had not received any notification from Okta regarding a potential breach, despite the fact BeyondTrust had reported a similar incident on October 2. 

Cloudflare has urged that, in future, Okta “[p]rovide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them”.

“The key to mitigating this week’s incident was our team’s early detection and immediate response,” Cloudflare wrote.

“In fact, we contacted Okta about the breach of their systems before they had notified us. The attacker used an open session from Okta, with Administrative privileges, and accessed our Okta instance.”

This is not the first time that Okta has experienced an attack related to its support system. In March 2022, the LAPSUS$ group successfully breached a device belonging to a third-party support engineer using remote desktop protocol (RDP).

Okta’s subsequent investigation found that the group failed to escalate the attack through the impersonation of customer support agents to carry out phishing attacks or to reset any internal passwords.