Okta says attackers accessed information containing cookies and session tokens uploaded by clients to its help administration system after breaching it utilizing stolen credentials.
“The menace actor was capable of view information uploaded by sure Okta clients as a part of latest help circumstances,” stated Okta’s Chief Safety Officer David Bradbury.
“It ought to be famous that the Okta help case administration system is separate from the manufacturing Okta service, which is absolutely operational and has not been impacted.”
Okta’s CSO added that this incident didn’t influence the Auth0/CIC case administration system. Okta notified all clients’ whose Okta surroundings or help tickets had been impacted by the incident. Those that have not acquired an alert aren’t affected.
Session tokens and cookies doubtless uncovered within the assault
Whereas the corporate has but to offer particulars on what buyer info was uncovered or accessed within the breach, the help case administration system breached on this assault was additionally used to retailer HTTP Archive (HAR) information used to copy person or administrator errors to troubleshoot varied points reported by customers.
Additionally they comprise delicate knowledge, resembling cookies and session tokens, which menace actors might use to hijack buyer accounts.
“HAR information characterize a recording of browser exercise and probably comprise delicate knowledge, together with the content material of the pages visited, headers, cookies, and different knowledge,” Okta explains on its help portal.
“Whereas this enables Okta workers to copy browser exercise and troubleshoot points, malicious actors might use these information to impersonate you.”
The corporate labored with affected clients through the incident investigation and revoked session tokens embedded in shared HAR information. It now advises all clients to sanitize their HAR information earlier than sharing by guaranteeing they do not embrace credentials and cookies/session tokens.
Okta additionally shared an inventory of indicators of compromise noticed through the investigation, together with IP addresses and net browser Consumer-Agent info linked to the attackers.
A number of safety incidents in lower than 2 years
Final 12 months, Okta disclosed that a few of its clients’ knowledge was uncovered after the Lapsus$ knowledge extortion group gained entry to its administrative consoles in January 2022.
One-time passwords (OTPs) delivered to Okta clients over SMS had been additionally stolen by the Scatter Swine menace group (aka 0ktapus), which breached cloud communications firm Twilio in August 2022.
Okta-owned authentication service supplier Auth0 additionally disclosed in September that some older supply code repositories had been stolen from its surroundings utilizing an unknown methodology.
Okta revealed its personal supply code theft incident in December after the corporate’s non-public GitHub repositories had been hacked.
An Okta spokesperson didn’t reply questions concerning the date of the breach and what number of clients had been affected when BleepingComputer reached out earlier immediately.
As an alternative, the spokesperson stated the help system “is separate from the manufacturing Okta service, which is absolutely operational and has not been impacted. We’ve notified impacted clients and brought measures to guard all our clients.”
