Breach Affects All Users Customer Support – Krebs Security

When KrebsOnSecurity announced the news on October 20, 2023 that the identity and authentication giant Okta suffered a breach in its customer support department, Okta said the intrusion allowed hackers to steal sensitive data from less than one percent of its 18,000+ customers. But now, Okta has revised its statement to that effect, saying the attackers also stole the name and email address for nearly all of its customer support users.

Okta acknowledged last month that for several weeks starting in late September 2023, intruders will have access to its customer support case management system. That access allowed hackers to steal authentication tokens from some Okta customers, which attackers could then use to make changes to customer accounts, such as to add or change authorized users.

In the initial incident reports about the breach, Okta SAYS hackers gained unauthorized access to files within Okta’s customer support system related to 134 Okta customers, or less than 1% of Okta’s customer base.

But in an updated statement published earlier this morning, Okta said it had determined that the intruders also stole the names and email addresses of all Okta customer support system users.

“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are affected except for customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system that NOT accessible to the threat actor),” Okta’s advisory said. “The Auth0/CIC support case management system is also unaffected by this incident.”

Okta said that for nearly 97 percent of users, the only contact information disclosed is a full name and email address. That means about three percent of Okta’s customer support accounts have one or more of the following data fields exposed (in addition to email address and name): last login; username; telephone number; SAML federation ID; company name; job role; type of user; date of last password change or reset.

Okta noted that a large number of exposed accounts belonged to Okta administrators — IT people responsible for integrating Okta’s authentication technology within customer environments — and that these individuals should be vigilant for targeted phishing attacks.

“Many users of the customer support system are Okta administrators,” Okta points out. “It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to ensure access to their Okta console(s).

Although it may seem completely insane that some companies allow their IT staff to operate company-wide authentication systems using an Okta administrator account that is not protected by MFA, says Okta fully six percent of its customers (over 1,000) continue this dangerous practice.

on a previous disclosure on Nov. 3Okta blamed an employee who stored credentials for an Okta customer support infrastructure service account on their personal Google account, and said the credentials were likely stolen when the personal device of the employee using the same Google account was compromised.

Unlike standard user accounts, which are accessed by humans, service accounts are typically reserved for automating machine-to-machine functions, such as performing data backups or -scan the antivirus every night at a particular time. For this reason, they cannot be locked down with multifactor authentication the way user accounts can.

Dan Goodin of Ars Technica Thoughtful this explains why MFA was not set up on the compromised Okta service account. But as he rightly points out, if an employee breach breaches your network, you’re doing it wrong.

“Okta should put access controls in place beyond a simple password to limit who or what can log into the service account,” Goodin wrote in Nov. 4. “One way to do this is to put a limit or condition on the IP addresses that can connect. Another is to constantly rotate the access tokens used to authenticate those service account. And, of course, it is impossible for employees to log in to personal accounts on a work machine. These and other precautions are the responsibility of seniors within Okta.

Goodin suggests that people who want to explore more about different methods for securing service accounts should read this Mastodon thread.

“A fair number of contributions come from security professionals with extensive experience working in sensitive cloud environments,” Goodin wrote.

Leave a comment