Menu
Browse

Cyber Incident Victim: Okta

Date:

Sep 2023

Location:

Summary

A threat actor gained unauthorized access to Okta's customer support system by compromising a service account whose credentials were stored in an employee's personal Google account. The attackers accessed HTTP Archive (HAR) files containing session tokens for 134 customers, enabling session hijacking against five organizations, including BeyondTrust and Cloudflare. Detection delays occurred due to log analysis limitations, with some affected customers identifying suspicious activity before official notification. The adversary attempted actions like creating backdoor administrator accounts, though impacted customers mitigated further compromise through security controls. Remediation included revoking stolen tokens, disabling the breached service account, blocking personal Google profiles on managed devices, enhancing monitoring, and implementing session token binding based on network location.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

The incident involved unauthorized access to Okta’s customer support case management system between September 28 and October 17, 2023, stemming from a compromised service account. The threat actor exploited credentials stored in an employee’s personal Google account, which had been saved after the employee signed into their personal Google profile on an Okta-managed laptop. This access allowed the adversary to view and download files associated with 134 Okta customers (less than 1% of Okta’s customer base), including HTTP Archive (HAR) files containing active session tokens. These tokens enabled session hijacking attacks against five Okta customers, with three publicly confirming their involvement. Initial detection challenges arose due to Okta’s focus on support case access logs rather than file-specific activity; suspicious file downloads were not identified until October 13, when BeyondTrust provided a key indicator of compromise (an IP address). This led to the discovery of the threat actor’s file access pattern, which bypassed standard logging by navigating directly to the Files tab instead of opening attachments from support cases. Okta revoked session tokens embedded in the stolen HAR files on October 17 and 19, terminated the compromised service account on October 17, and identified Cloudflare as the fifth impacted customer on October 19.

Cyber Incident Image

The breach impacted multiple organizations, including BeyondTrust, Cloudflare, and 1Password, with varying levels of adversarial success. BeyondTrust first alerted Okta on October 2 after detecting an attempt to access their Okta administrator account via a stolen session token from a support ticket uploaded during a prior case. The threat actor attempted actions in BeyondTrust’s environment within 30 minutes of the HAR file upload but was blocked by non-default security policies. The attacker then created a backdoor admin account via Okta’s API, which BeyondTrust disabled promptly. Cloudflare independently detected unauthorized access to its Okta environment on October 18, over 24 hours before Okta’s notification, and contained the breach without customer data loss. Okta’s delayed response—meeting with BeyondTrust on October 11, nine days after their initial report—extended the threat actor’s access window. Remediation included disabling the compromised service account, blocking personal Google profiles on company devices via Chrome Enterprise, enhancing support system monitoring, and implementing session token binding based on network location to force re-authentication upon IP changes. The support case management system remained separate from Okta’s production environment, which was unaffected. All impacted customers were notified by October 19, with root cause analysis published on November 3.

Sources
Sources available to members
2 sources