When KrebsOnSecurity broke the news on October 20, 2023, the identity and authentication giant Octa Okta said hackers were able to steal sensitive data from less than one percent of its more than 18,000 customers after a breach of its customer support department. But today, Okta revised its impact statement to say the attackers also stole the names and email addresses of nearly all of its customer support users.
Okta admitted last month that intruders had access to its customer support case management system in the weeks starting in late September 2023. This access allowed hackers to steal authentication tokens from some Okta customers, which the attacker could then use to make changes to customer accounts, such as adding or modifying authorized users.
In its initial incident report on the breach, Okta said hackers gained unauthorized access to files within Okta’s customer support system related to 134 Okta customers (less than 1% of Okta’s customer base).
But in its latest statement released early this morning, Okta said it determined that the intruders also stole the names and email addresses of all Okta customer support system users.
Okta’s advisory states: “With the exception of customers in FedRamp High and DoD IL4 environments, which use separate support systems that are not accessible to threat actors, all Okta Workforce Identity Cloud (WIC) and Customer Identity Solutions ( CIS ) customers are affected.” “The Auth0/CIC support case management system is also not affected by this incident.”
Okta said that for nearly 97% of users, the only contact information exposed was their full name and email address. This means that approximately 3% of Okta customer support accounts have one or more of the following data fields exposed (in addition to email address and name): Last Login; Username; Phone Number; SAML Federated ID; Company Name; Professional Role ; User type; Date the password was last changed or reset.
Okta notes that a large number of the exposed accounts belong to Okta administrators (IT staff responsible for integrating Okta authentication technology into customer environments), and that these individuals should be wary of targeted phishing attacks.
“Many users of the customer support system are Okta administrators,” Okta points out. “It is critical that these users sign up for multi-factor authentication (MFA) to not only protect customer support systems but also securely access their Okta management console.”
Okta says that while some companies allow their IT staff to use Okta admin accounts that are not protected by MFA to operate company-wide authentication systems, it seems completely crazy. Six percent of customers (over 1,000) adhere to this dangerous practice.
In a previous disclosure on November 3, Okta blamed the breach on an employee who saved service account credentials from Okta’s customer support infrastructure to his personal Google account and said that when the employee’s personal device The same Google account was used to be stolen.
Unlike standard user accounts for human access, service accounts are primarily used for automated machine-to-machine functions, such as performing data backups or anti-virus scans at a specific time each night. Therefore, they cannot be locked down through multi-factor authentication like user accounts can.
Ars Technica’s Dan Goodin believes this may explain why MFA was not set on compromised Okta service accounts. But as he rightly points out, if a single employee breach breaks your network, you’re doing it wrong.
“In addition to simple passwords, Okta should set up access controls to limit who or what can log into service accounts,” Goodin wrote on Nov. 4. “One way to do this is to set IP Set restrictions or conditions on the addresses that can be connected. Another approach is to periodically rotate the access tokens used to authenticate service accounts. Of course, it is impossible for employees to log into personal accounts on work machines. These and other precautions are Responsibilities of senior personnel within Okta.”
Goodin suggests that anyone who wants to further explore the various methods of protecting service accounts should read this article on Mastodon.
“A considerable number of contributions came from security professionals with extensive experience working in sensitive cloud environments,” Gooding wrote.
