A newly released report sheds light on the Okta security breach that occurred between late September and mid-October, affecting 134 out of the company’s 18,400 clients. The breach involved only five instances of successful session hijacking, revealing a relatively contained impact.
The attackers accessed HAR files containing session tokens of the affected clients, demonstrating selectivity in follow-up attacks, particularly targeting Cloudflare and two major identity management services. The breach’s origin is traced back to an Okta-managed employee laptop, where a saved Google password became the entry point for the attackers.
The report outlines Okta’s response and remediation efforts, including blocking employees from accessing personal Google profiles on managed devices and enhancing monitoring in the customer support system. Additionally, Okta has implemented measures like binding administrator session tokens based on network location.
While the Okta security breach’s overall impact is deemed minimal, the company faces another challenge—a separate breach at a third-party contractor, Rightway Healthcare. This incident, which occurred in September, led to the theft of thousands of employee records, including highly sensitive data such as Social Security numbers and insurance plan information.
Okta has experienced a series of security incidents over the past two years, including source code theft, breaches by hacking groups, and delayed reporting. The recent breach highlights the importance of reinforcing cybersecurity policies, raising awareness about the risks of mixing personal and professional digital activities, and implementing multi-layered security measures.
The report also addresses the proactive measures taken by Cloudflare and Beyond Identity in response to the breach, introducing tools like HAR sanitizers to mitigate potential risks for Okta customers.
Anurag Gurtu, Chief Product Officer at StrikeReady, emphasizes the incident’s significance in reinforcing cybersecurity practices. He underscores the need for organizations to continuously monitor and manage access privileges, deploy multi-layered security measures, and instill discipline and awareness at every level.
While the Okta security breach doesn’t stem from a particular security failing at Okta, the company’s clients have been targeted with phishing attempts in the latter half of 2023. Organizations are advised to be vigilant, particularly regarding attempts to reset credentials for “superuser” admin accounts, focusing on securing the “Inbound Federation” feature. Okta has issued comprehensive advice to help organizations protect against such high-stakes attacks.
