Okta Confirms Breach of Support Case Management System

Okta has identified a cyberattack in which a threat actor used a stolen credential to access the company’s support case management system.

Okta’s David Bradbury

David Bradbury, Okta’s chief security officer, disclosed the breach in a blog. BeyondTrust says it discovered the attack early this month. It said the incident was the result of Okta’s support system being compromised, which allowed an attacker to access sensitive files uploaded by its customers.

According to CNBC, Okta’s stock price fell 11% after it disclosed the breach.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Bradbury said. “It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.”

All customers who were impacted by this have been notified, he said.

“If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets,” Bradbury said. “Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

Additional Details of Support Case Management System Breach

According to BeyondTrust’s blog, on Oct. 2, its security teams detected an identity-centric attack on an in-house Okta administrator account.

“We immediately detected and remediated the attack through our own Identity Security tools, resulting in no impact or exposure to BeyondTrust’s infrastructure or to our customers,” it said. “The incident was the result of Okta’s support system being compromised, which allowed an attacker to access sensitive files uploaded by their customers.”

The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system, BeyondTrust said. Custom policy controls blocked the attacker’s initial activity, “but limitations in Okta’s security model” allowed them to perform a few confined actions. BeyondTrust’s own Identity Security Insights tool alerted the team of the attack, and they were able to block all access and verify that the attacker did not gain access to any systems.

“The initial incident response indicated a possible compromise at Okta of either someone on their support team or someone in position to access customer support-related data,” it said. “We raised our concerns of a breach to Okta on Oct. 2. Having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta until Oct. 19 when Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers.”