Okta, a leading identity and access management company, has warned about credential stuffing attacks targeting its Customer Identity Cloud (CIC).
The company has identified that threat actors are exploiting the cross-origin authentication feature within CIC.
As part of its Okta Secure Identity Commitment, the company routinely monitors and reviews potentially suspicious activities and proactively notifies customers of any threats.
Nature of the Attack
Credential stuffing is a type of cyberattack where adversaries attempt to gain unauthorized access to online services by using large lists of usernames and passwords.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
These credentials are often obtained from previous data breaches, phishing campaigns, or malware attacks.
Okta observed that the endpoints supporting the cross-origin authentication feature were being targeted in such attacks for several customers.
Suspicious Activity Period
The suspicious activity was first observed on April 15.
Okta has advised customers to review their logs for any unusual activity from that date forward.
The company has provided specific log events to review, including:
- fcoa: Failed cross-origin authentication
- scoa: Successful cross-origin authentication
- pwd_leak: Attempted login with a leaked password
Log Review
Customers are advised to review their tenant logs for unexpected fcoa, scoa, and pwd_leak events.
If a tenant does not use cross-origin authentication but has scoa or fcoa events in their logs, they have likely been targeted in a credential stuffing attack.
Similarly, if a tenant using cross-origin authentication saw a spike in scoa events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), they may have been targeted.
If a user’s password was compromised in a credential-stuffing attack, Okta recommends rotating the user’s credentials immediately as a precaution.
Protecting Your Tenant from Credential Stuffing
Okta has provided several recommendations to help protect users from credential-stuffing attacks:
Longer-term Solution
- Passwordless, Phishing-Resistant Authentication: Enroll users in passwordless authentication, with passkeys being the most secure option.
- Passkeys are included in all Auth0 plans, from the free plan to the Enterprise.
Medium-term Mitigations
- Strong Password Policies: To prevent users from choosing weak passwords, require a minimum of 12 characters for passwords and block passwords found in the Common Password List.
- Multi-Factor Authentication (MFA): Require MFA, which is available on various Auth0 plans, including B2C Professional, B2B Essentials, B2B Professional, Startup, and Enterprise plans.
Short-term Mitigations
- Disable Unused Endpoints: Disable the endpoint in the Auth0 Management Console for tenants not using cross-origin authentication.
- Restrict Permitted Origins: If cross-origin authentication is required, restrict permitted origins.
- Enable Breached Password Detection: Enable breached password detection or Credential Guard if supported in the current plan.
- Breached password detection is available on B2C Professional, B2B Professional, Startup, and Enterprise plans, while Credential Guard is available as an add-on through an Enterprise plan.
Okta’s proactive measures and detailed guidance aim to help customers mitigate the risks associated with credential-stuffing attacks.
By following the recommended actions and implementing the suggested protections, customers can better safeguard their identities and maintain the security of their online services.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.