Okta’s investigation into the breach of its Help Center environment last month revealed that the hackers obtained data belonging to all customer support system users.
The company notes that the threat actor also accessed additional reports and support cases with contact information for all contact information of all Okta certified users.
At the beginning of November, the company disclosed that a threat actor had gained unauthorized access to files inside its customer support system and that early evidence indicated a limited data breach.
According to details uncovered at the time, the hacker accessed HAR files with cookies and session tokens for 134 customers – less than 1% of the company’s customers, that could be used to hijack Okta sessions of legitimate users.
Further investigation of the attack revealed that the threat actor also “downloaded a report that contained the names and email addresses of all Okta customer support system users.”
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident” – Okta
According to the company, the stolen report included fields for full name, username, email, company name, user type, address, last password change/reset, role, phone number, mobile number, time zone, and SAML Federation ID.
However, Okta clarifies that for 99.6% of the users listed in the report the only contact information available were full name and email address. Also, the company assured that no credentials were exposed.
Okta’s statement notes that many of the exposed users are administrators and 6% of them have not activated the multi-factor authentication defense against unauthorized login attempts.
The company states that the intruders also accessed data from “Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts” along with Okta employee details.
“We also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data” – Okta
Most of the time, names and emails are enough for a threat actor to launch phishing or social engineering attacks that could serve them in reconnaissance stages or could help them obtain more details to prepare a more sophisticated attack.
To protect against potential attacks, Okta recommends the following:
- Implement MFA for admin access, preferably using phishing-resistant methods like Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
- Enable admin session binding to require re-authentication for admin sessions from new IP addresses.
- Set admin session timeouts to a maximum of 12 hours with a 15-minute idle time, as per NIST guidelines.
- Increase phishing awareness by staying vigilant against phishing attempts and reinforcing IT Help Desk verification processes, especially for high-risk actions.
Okta has been a target of credential theft and social engineering attacks over the past two years, as hackers last December accessed source code from the company’s private GitHub repositories.
In January 2022, hackers gained access to the laptop of an Okta support engineer with privileges to initiate password resets for customers. The incident impacted about 375 customers, representing 2.5% of the company’s client base.
The Lapsus$ extortion group claimed the attack and leaked screenshots showing that they had “superuser/admin” access to Okta.com and could access customer data.