Okta Warns Customers of Credential Stuffing Barrage

Anonymizing services and residential proxies have been blamed for an “unprecedented” surge in credential stuffing attacks against Okta customers over the past week.

The identity and access management vendor said its Identity Threat Research team observed a spike in attacks against user accounts between April 19 and 26. These appeared to use the same infrastructure as similar attacks which targeted global VPN users between March 18 and April 16.

“Over the past month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (‘combo lists’), and scripting tools,” Okta said.

“All recent attacks we have observed share one feature in common: they rely on requests being routed through anonymizing services such as TOR. Millions of the requests were also routed through a variety of residential proxies including NSOCKS, Luminati and DataImpulse.”

Read more on Okta: Massive Credential Stuffing Campaign Hits 35,000 PayPal Users

Residential proxies are networks of legitimate users’ devices that are enrolled either with or without the owner’s knowledge. Sometimes users allow their devices to be used by proxy network providers in return for payment, and others are infected with malware that unwittingly enrols them in a botnet.

“The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers,” Okta explained.

“Customers using Okta Identity Engine that (a) enabled ThreatInsight in log and enforce mode and (b) deny access requests from anonymizing proxies were protected from these opportunistic accounts.”

Okta said that only a small percentage of attacks on customers proceeded to the authentication stage. Those customers were “nearly always” running on the Okta Classic Engine with ThreatInsight configured in audit-only mode rather than log and enforce mode, and authentication policies that permitted requests from anonymizing proxies.

Image credit: Poetra.RH /

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button