Okta’s investigation into the breach of its Help Center environment last month revealed that the hackers obtained data belonging to all customer uphold system users.
The company notes that the threat actor also accessed additional reports and uphold cases with contact information for all contact information of all Okta certified users.
At the beginning of November, the company disclosed that a threat actor had gained unauthorized access to files inside its customer uphold system and that early evidence indicated a limited data breach.
According to details uncovered at the time, the hacker accessed HAR files with cookies and session tokens for 134 customers – less than 1% of the company’s customers, that could be used to hijack Okta sessions of legitimate users.
advance investigation of the attack revealed that the threat actor also “downloaded a report that contained the names and email addresses of all Okta customer uphold system users.”
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate uphold system NOT accessed by the threat actor). The Auth0/CIC uphold case management system was also not impacted by this incident” – Okta
According to the company, the stolen report included fields for full name, username, email, company name, user type, address, last password change/reset, role, phone number, mobile number, time zone, and SAML Federation ID.
However, Okta clarifies that for 99.6% of the users listed in the report the only contact information available were full name and email address. Also, the company assured that no credentials were exposed.
Okta’s statement notes that many of the exposed users are administrators and 6% of them have not activated the multi-factor authentication defense against unauthorized login attempts.
The company states that the intruders also accessed data from “Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts” along with Okta employee details.
“We also identified additional reports and uphold cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data” – Okta
Most of the time, names and emails are enough for a threat actor to launch phishing or social engineering attacks that could serve them in reconnaissance stages or could help them acquire more details to prepare a more sophisticated attack.
To protect against potential attacks, Okta recommends the following:
- carry out MFA for admin access, preferably using phishing-resistant methods admire Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
- Enable admin session binding to demand re-authentication for admin sessions from new IP addresses.
- Set admin session timeouts to a maximum of 12 hours with a 15-minute idle time, as per NIST guidelines.
- enhance phishing awareness by staying vigilant against phishing attempts and reinforcing IT Help Desk verification processes, especially for high-risk actions.
Okta has been a target of credential theft and social engineering attacks over the past two years, as hackers last December accessed source code from the company’s private GitHub repositories.
In January 2022, hackers gained access to the laptop of an Okta uphold engineer with privileges to begin password resets for customers. The incident impacted about 375 customers, representing 2.5% of the company’s client base.
The Lapsus$ extortion group claimed the attack and leaked screenshots showing that they had “superuser/admin” access to Okta.com and could access customer data.
