IOTW: Okta data breach affects all customer support users
Exposed data increases risk of phishing and social engineering attacks
Add bookmarkOkta has revealed that hackers stole information on all users of its customer support system in a network breach. In a written statement published this week, the firm’s CSO, David Bradbury, said that Okta has determined that a threat actor ran and downloaded a report containing the names and email addresses of all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers. Customers in Okta’s FedRamp High and DoD IL4 environments have not been affected, Bradbury claimed.
Okta first disclosed the breach, which occurred in late September, last month. Originally, the San Francisco-based identity and access management company said that only a certain number of customers (134) were affected. The latest information indicates that Okta underestimated the extent of the breach, although the exposed data does not include user credentials or sensitive personal information, according to Bradbury. “For 99.6 percent of users in the report, the only contact information recorded is full name and email address,” he said.
Reports downloaded by threat actor larger than initially thought
Following its disclosure of the breach on November 3, Okta’s security department reviewed its initial analysis of the actions that the threat actor performed, including manually recreating the reports that the threat actor ran within the customer support system, Bradbury’s statement read. “We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users.”
The discrepancy in its initial analysis stems from the threat actor running an unfiltered view of the report, Bradbury stated. A later review identified that if the filters were removed from the templated report, the downloaded file was considerably larger. Okta also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, along with other information. Some Okta employee information was also included in these reports.
Okta is continuing to work with a third-party digital forensics firm to validate its findings and will share the report with customers upon completion.
Exposed data increases risk of phishing and social engineering attacks
Given that names and email addresses were downloaded, Okta assessed that there is an increased risk of phishing and social engineering attacks directed at impacted users. “While 94 percent of Okta customers already require multi-factor authentication (MFA) for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security,” Bradbury said.
Okta customers are advised to take the following actions to defend against potential attacks that target their Okta administrators:
- Secure admin access using MFA at a minimum, enroll administrative users in phishing resistant authenticators and enforce phishing resistance for access to all administrative applications.
- Enable the Early Access feature in Okta that requires admins to reauthenticate if their session is reused from an IP address with a different autonomous system number (ASN).
- Use new Okta Admin Console timeouts that will be set to a default of a 12-hour session duration and a 15-minute idle time.
- Be vigilant of phishing attempts that target employees and be especially wary of social engineering attempts that target IT help desks and related service providers.
Data breach proves even robust security systems can be vulnerable
The Okta breach proves that even robust security systems can be vulnerable, Callie Guenther, senior manager, cyber threat research at cyber security company Critical Start, tells Cyber Security Hub. “This incident highlights the ongoing challenges in cyber security and the importance of continuous vigilance, especially in identity and access management, which is a critical part of an organization’s security posture.”
With user information, attackers can craft more convincing phishing emails or social engineering campaigns, Guenther adds. “Organizations using Okta services may see an uptick in such activities.”
This is not Okta’s first security challenge. Last year, the firm carried out an investigation into a compromise of one of its third-party vendors. It found that a threat actor accessed two active customer tenants within Okta’s SuperUser application, viewing limited additional information in certain other applications like Slack and Jira.
Report: 'Diagnosing Disaster: How To Recover From An Attack'
This report on incident response and recovery offers pivoting strategies and identifies top internal and external challenges for security teams.
Learn More