Okta: Support system breach affected all customers

Okta warned customers that they face an 'increased risk of phishing and social engineering attacks' after new details emerged from a breach that occurred earlier this year.


Listen to this article. This audio was generated by AI.

While Okta initially confirmed that a support case management system breach affected only 1% of its customers, further analysis revealed that threat actors accessed information for all customers and some Okta employees.

Last month, Okta CSO David Bradbury confirmed that attackers used stolen credentials to infiltrate the vendor's support case management system and view troubleshooting files for 134 organizations -- or less than 1% of Okta's customers. The threat actor used session cookies contained in those files to impersonate valid users. Subsequently, Okta customers including 1Password, BeyondTrust and Cloudflare revealed that they had detected and stopped Okta-related attacks.

In an updated blog post Wednesday, Bradbury revealed that the threat group accessed far more customer data than the initial investigation uncovered.

"We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users," Bradbury wrote in the blog post. "All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor)."

Okta discovered the extended attack scope after manually re-creating reports that the threat actor ran in the system and the files they downloaded. Fields in the report included company names, addresses, phone numbers and dates of last password changes.

"We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users," Bradbury wrote, adding that the discrepancy stemmed from the threat actor running an unfiltered view of the report.

Okta said the majority of the fields in the report were blank and that it did not include user credentials or sensitive personal data. For 99.6% of customers, the only information accessed was full names and emails, but that could be enough for attackers to cause damage.

Phishing emails sent with malicious attachments are commonly used in social engineering attacks. Several threat groups, including the notorious Scattered Spider, are known to leverage phishing and vishing to eventually gain admin privileges.

"While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks," Bradbury wrote. "Okta customers sign-in to Okta's customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators."

A call to action for MFA

In light of the exposed customer data, Bradbury said it is critical that Okta administrators implement multifactor authentication (MFA) to secure the support system and the admin console.

Okta super administrator accounts have been targeted in recent social engineering attacks, including breaches at Las Vegas casino giants MGM Resorts and Caesars Entertainment. Those attacks were reportedly the work of Scattered Spider, a threat group known for disruptive attacks that leverage BlackCat/Alphv ransomware and advanced social engineering campaigns. Scattered Spider has warranted multiple government advisories, with the most recent alert issued on Nov. 16.

"Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users," Bradbury wrote. "While 94% of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security."

Vendors have increasingly pushed enterprises to implement MFA over the past several years, and it is a requirement to obtain a cyber insurance policy in many cases. However, it's clear that some enterprises continue to struggle with MFA adoption.

In addition to MFA enrollment, Okta recommended that customers enable an Early Access feature that requires admins to reauthenticate if their session is reused from an IP address with a different autonomous system number. Customers should also prioritize phishing awareness training, Bradbury said.

In a statement to TechTarget Editorial, an Okta spokesperson expanded on how the vendor communicated with customers that lacked MFA.

"We've provided customers with a report of their active Okta admins so that they can review that list and validate that their application sign-on policies have been configured correctly to include multifactor authentication," the spokesperson said.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Data security and privacy