Okta Reveals Breach Via Stolen Credential

Identity and access management (IAM) specialist Okta has found itself on the receiving end of another security breach after a threat actor was able to access a stolen credential.

Chief security officer (CSO) for the vendor, David Bradbury, explained in a brief blog post on Friday that an adversary used the credential to access its support case management system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” he added.

“It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.”

Read more on Okta security incidents: Okta: Just Two Customers Impacted by Lapsus$ Breach

However, even access to the case management system may have exposed sensitive customer information, Bradbury admitted.

“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users,” he explained.

“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

Okta customer BeyondTrust said it notified the IAM vendor about a possible breach on October 2, after detecting an attempt to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system.

“Having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta until October 19 when Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers,” explained BeyondTrust CTO, Marc Maiffret.

Okta’s Bradbury confirmed that all customers affected by the incident have now been notified.

Reports claimed the news sent the firm’s share price down 12%.

Image credit: rafapress /

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button