A hacker has infiltrated Okta, a provider of single sign-on services to thousands of businesses, but the attacker only breached the company’s customer support system.
It's unclear how the hacker broke in. For now, Okta has only said the attacker “leveraged access to a stolen credential to access Okta's support case management system.”
The support case management system is separate from Okta’s production service, which can allow users to log into multiple websites and apps through a single sign-on method.
Still, the hacker had the ability to steal sensitive data from files uploaded to Okta’s customer case management system. This included cookies and session tokens embedded in HTTP Archive files that customers could upload to help them troubleshoot issues.
Stealing these cookies and session tokens can allow a hacker to “impersonate valid users,” the company said, becoming another way to break into someone’s account. As a result, Okta has sent notifications to affected customers, warning them about the threat.
“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” the company added.
Okta declined to provide more details. But according to security journalist Brian Krebs, the company appears to have uncovered the breach when a customer, security vendor BeyondTrust, noticed unusual activity on its network. An Okta account belonging to a BeyondTrust engineer tried to create a powerful admin account. The security vendor then noticed the activity was occurring through a valid session token that BeyondTrust had previously shared to Okta through an HTTP Archive file.
This led BeyondTrust to believe Okta had suffered a breach. However, Okta told Krebs that only a small number of the company’s over 18,000 customers were affected. “This is a known threat actor that we believe has targeted us and Okta-specific customers,” the company added.
The breach occurs over a year after Okta suffered another hack involving the LAPSUS$ gang, who compromised a PC belonging to a customer support agent contracted out from a third-party outsourcing firm. In August, Okta also warned of hackers using social engineering techniques to trick customers into reconfiguring their multi-factor authentication systems to break in.
Okta's blog post includes the IP addresses the hacker used to infiltrate the company's customer support system. Affected customers can use those IP addresses to check whether their own system may have encountered the same attacker.
