Identity services provider Okta disclosed a new security incident on Friday that allowed unknown threat actors to leverage stolen credentials to access its support case management system.
“The threat actor was able to view files uploaded by some Okta customers as part of recent support cases,” said David Bradbury, Okta’s chief security officer. “It should be noted that the Okta Support Case Management system is separate from the production Okta service, which is fully operational and has not been impacted.”
The company also stressed that its Auth0/CIC case management system was not affected by the breach, noting that it has directly notified customers who were affected.
However, it adds that the customer support system is also used to upload HTTP archive (HAR) files to replicate end user or administrator errors for troubleshooting purposes.
“HAR files may also contain sensitive data, including cookies and session tokens, which malicious actors could use to impersonate legitimate users,” Okta warned.
It further said that it worked with affected customers to ensure that embedded session tokens were revoked to prevent their misuse.
Okta did not disclose the scale of the attack, when the incident occurred or when the unauthorized access was discovered. As of March 2023, it has more than 17,000 customers and manages approximately 50 billion users.
BeyondTrust and Cloudflare are among two customers that have confirmed they were targeted in the latest support systems attack, he said.
“The threat actor was able to hijack a session token from a support ticket created by a Cloudflare employee,” Cloudflare said. “Using tokens extracted from Okta, the threat actor accessed Cloudflare systems on October 18.”
Calling it a sophisticated attack, the web infrastructure and security company said the threat actor behind the activity compromised two separate Cloudflare employee accounts within the Okta platform. It also said that no customer information or systems were accessed as a result of the incident.
BeyondTrust said it notified Okta of the breach on October 2, 2023, but the attack on Cloudflare shows the rival had access to their support systems until at least October 18, 2023.
The identity management services firm said its Okta administrator uploaded a HAR file to the system on October 2 to resolve a support issue, and suspicious activity involving the session cookie was detected within 30 minutes of sharing the file. The attempted attack against BeyondTrust was ultimately unsuccessful.
A spokesperson for the company told “BeyondTrust immediately detected and remedied the attack through its identity tool, Identity Security Insights, resulting in no impact or risk to BeyondTrust’s infrastructure or its customers. “
This development is the latest in a long list of security incidents that have plagued Okta over the past few years. The company has become a high-value target for hacking teams due to the fact that its single sign-on (SSO) services are used by some of the largest companies in the world.
