Okta defends 2-week hole in response to identification token theft, says 134 clients affected

Okta is defending its response to a current safety challenge that brought about alarm amongst a number of of the corporate’s clients, a few of them outstanding web safety manufacturers.

In a brand new weblog submit on Friday, the identification administration firm stated that from September 28, to October 17, a menace actor “gained unauthorized entry to recordsdata inside Okta’s buyer help system related to 134 Okta clients.”

The submit provides to what Okta had reported on October 20, in a warning that stated hackers used stolen Okta credentials to entry recordsdata uploaded by an undisclosed variety of clients.

The brand new weblog submit stated among the recordsdata accessed had been HTTP Archive (HAR) recordsdata, which monitor interactions between an internet site and a browser. These HAR recordsdata contained session tokens that would in flip be used for session hijacking assaults.

“The menace actor was in a position to make use of these session tokens to hijack the official Okta periods of 5 clients,” the corporate stated, noting that three of the purchasers — password supervisor 1Password, entry administration agency BeyondTrust and web safety firm Cloudflare — have already come ahead with their very own experiences about what occurred.

Okta went on to elucidate that it sourced the assault again to a service account in a buyer help system. The service account was granted permissions to view and replace buyer help circumstances. The investigation discovered that an worker “had signed-in to their private Google profile on the Chrome browser of their Okta-managed laptop computer.”

“The username and password of the service account had been saved into the worker’s private Google account. The almost definitely avenue for publicity of this credential is the compromise of the worker’s private Google account or private gadget,” Okta stated.

Okta offered a timeline for its response to the difficulty, revealing that 1Password initially reached out on September 29 however Okta didn’t disable the compromised service account till October 17.

Along with the warning from 1Password, BeyondTrust notified Okta of an analogous challenge on October 2.

In its personal message about what occurred, Cloudflare didn’t maintain again in its criticism of how Okta dealt with the scenario. Cloudflare stated Okta must “take any report of compromise critically and act instantly to restrict injury.”

Cloudflare slammed Okta for permitting the hacker to remain in its techniques from October 2 to October 17 regardless of being notified by BeyondTrust. Cloudflare additionally known as for “well timed, accountable disclosures” to clients after breaches are recognized.

When pressed on this huge time hole, Okta Chief Safety Officer David Bradbury informed Recorded Future Information that the corporate started the investigation “instantly” after 1Password stepped ahead.

“We suspected that 1Password was almost definitely the sufferer of malware or a phishing assault. These are the 2 most typical strategies that Okta Safety sees associated to session token theft, menace actors utilizing malware similar to RedLine Stealer or phishing kits that use clear proxies similar to EvilProxy,” he stated.

“We met repeatedly with 1Password and BeyondTrust throughout that 14 day interval to attempt to establish the compromise in partnership with them. Finally it took all of us that period of time to research as their preliminary findings solely obtained us thus far within the investigation.”

Within the weblog submit, Okta attributed the greater than two-week time hole to the truth that it was not capable of “establish suspicious downloads” in logs.

Okta stated its preliminary investigation targeted on entry to help circumstances, the place it examined logs linked to these circumstances. However the firm later realized that the hacker was navigating its system otherwise that was producing “a wholly totally different log occasion with a distinct file ID.”

“On October 13, 2023, BeyondTrust offered Okta Safety a suspicious IP deal with attributed to the menace actor. With this indicator, we recognized the extra file entry occasions related to the compromised account,” Okta stated.

The corporate stated it has made a number of adjustments to its logging practices in an effort to handle the missteps described and a spokesperson stated all clients have been notified.

Okta confronted backlash final 12 months for its dealing with of one other information breach involving a number of clients and the corporate’s CSO publicly apologized for the incident.