The identity and authentication management company Okta revealed on Friday that 134 of its 18,400 clients were impacted by the most recent compromise of the support case management system.
It further mentioned that between September 28 and October 17, 2023, the unauthorized intruder was able to enter its systems. From there, they were able to obtain HAR files that included session tokens that might be exploited in session hijacking attacks.
According to David Bradbury, chief security officer of Okta, “the threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers.”
Among those impacted are Cloudflare, BeyondTrust, and 1Password. On September 29, 1Password was the first business to report any unusual activity. On October 12 and October 18, two more anonymous clients were discovered.
On October 20, Okta formally disclosed the security incident, claiming that the threat actor had gained access to Okta’s support case management system by using a stolen credential.
The business has now released additional information on what transpired.
It claimed that someone had abused a service account that was kept within Okta’s customer support system, giving them access to view and edit customer support cases.
Subsequent inquiry showed that the worker had logged in to their personal account using the Chrome web browser on their laptop maintained by Okta, and that the username and password of the service account had been stored to their personal Google account.
“The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device,” Bradbury stated.
Since then, Okta has disabled the compromised service account and revoked the session tokens that were included in the HAR files that the impacted customers shared.
It has also prohibited its employees from logging into their personal accounts on computers that are maintained by Okta by blocking the use of personal Google profiles in enterprise versions of Google Chrome.
“Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators,” Bradbury stated.
“In the event that we identify a network change, Okta administrators are now required to re-authenticate. Customers can activate this option in the Okta admin portal’s early access area.”
This comes days after Okta disclosed that a compromise at its healthcare coverage vendor, Rightway Healthcare, on September 23, 2023, resulted in the exposure of 4,961 present and past employees’ personal information. Names, Social Security numbers, and health or medical insurance plans were among the compromised data.
