Recent Okta Customer Support Data Breach Affects 134 Customers

Nov 04, 2023NewsroomData Breach / Cyber ​​Attacks

Okta Data Breach

Identity management and authentication provider Okta on Friday revealed that a recent breach of its support case management system affected 134 of its 18,400 customers.

It further noted that an unauthorized intruder gained access to its systems from September 28 to October 17, 2023, and ultimately accessed HAR files containing session tokens that could be used for session hijacking. attacks.

“The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers,” Okta’s Chief Security Officer, David Bradbury, SAYS.

Three of those affected include 1Password, BeyondTrust, and Cloudflare. 1Password was the first company to report suspicious activity on September 29. Two other unnamed customers were identified on October 12 and October 18.


Okta formally disclosed the security event on October 20, saying the threat actor used access to a stolen credential to access Okta’s support case management system.

Now, the company has shared some details about how this happened.

It said that access to Okta’s customer support system was abusing a service account stored in the system itself, which had privileges to view and update customer support cases.

Further investigation showed that the username and password of the service account had been saved in an employee’s personal Google account and that the individual had signed-in to their personal account in the Chrome web browser on their Okta-managed laptop. .

“The most likely way for this credential to be exposed is through the compromise of the employee’s personal Google account or personal device,” Bradbury said.

Okta has since revoked the session tokens embedded in HAR files shared with affected customers and disabled the compromised service account.


It also blocked the use of personal Google profiles within business versions of Google Chrome, preventing its employees from signing into their personal accounts on Okta-managed laptops.

“Okta released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators,” Bradbury said.

“Okta administrators are now forced to re-authenticate when we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal.”

The development comes days after Okta Revelation that personal information belonging to 4,961 current and former employees was exposed after its healthcare coverage vendor, Rightway Healthcare, was breached on September 23, 2023. Compromised data included names, Social Security numbers, and health or medical insurance plan.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment