Id and authentication administration supplier Okta on Friday disclosed that the latest assist case administration system breach affected 134 of its 18,400 prospects.
It additional famous that the unauthorized intruder gained entry to its techniques from September 28 to October 17, 2023, and finally accessed HAR recordsdata containing session tokens that may very well be used for session hijacking assaults.
“The risk actor was in a position to make use of these session tokens to hijack the professional Okta periods of 5 prospects,” Okta’s Chief Safety Officer, David Bradbury, mentioned.
Three of these affected embrace 1Password, BeyondTrust, and Cloudflare. 1Password was the primary firm to report suspicious exercise on September 29. Two different unnamed prospects had been recognized on October 12 and October 18.
Okta formally revealed the safety occasion on October 20, stating that the risk actor leveraged entry to a stolen credential to entry Okta’s assist case administration system.
Now, the corporate has shared some extra particulars of how this occurred.
It mentioned the entry to Okta’s buyer assist system abused a service account saved within the system itself, which had privileges to view and replace buyer assist circumstances.
Additional investigation revealed that the username and password of the service account had been saved to an worker’s private Google account and that the person had signed-in to their private account on the Chrome net browser of their Okta-managed laptop computer.
“The most definitely avenue for publicity of this credential is the compromise of the worker’s private Google account or private system,” Bradbury mentioned.
Okta has since revoked the session tokens embedded within the HAR recordsdata shared by the affected prospects and disabled the compromised service account.
It has additionally blocked the usage of private Google profiles inside enterprise variations of Google Chrome, stopping its staff from signing in to their private accounts on Okta-managed laptops.
“Okta has launched session token binding based mostly on community location as a product enhancement to fight the specter of session token theft towards Okta directors,” Bradbury mentioned.
“Okta directors at the moment are pressured to re-authenticate if we detect a community change. This function may be enabled by prospects within the early entry part of the Okta admin portal.”
The event comes days after Okta revealed that non-public data belonging to 4,961 present and former staff was uncovered after its healthcare protection vendor, Rightway Healthcare, was breached on September 23, 2023. Compromised information included names, Social Safety numbers, and well being or medical insurance coverage.
