Five Okta customers were compromised by a cyberattack against the single sign-on provider’s support system, Okta CSO David Bradbury said in a Nov. 3 blog post. The company shared results of its internal investigation two weeks after it first disclosed an intrusion into its support system.
In each case, data was exposed by browser log files the customers shared with Okta support staff. The threat actor used those files, which contained session tokens, to hijack legitimate Okta sessions.
Of the five, three have come forward: BeyondTrust, Cloudflare and 1Password independently shared how they detected and thwarted any threat actor damage. The additional pair of customers compromised by the attack remain unknown.
A threat actor accessed files inside Okta’s customer support system associated with 134 customers between Sept. 28 and Oct. 17, the company said. Okta reported more than 18,400 business customers last month.
“We have notified all customers of our findings and have completed remediations to protect all our customers,” Okta said in a statement.
The company contacted the Cybersecurity and Infrastructure Security Agency and the FBI as its investigation was underway, an Okta spokesperson told Cybersecurity Dive. Okta's inquiry into the attack was done internally and without the assistance of an incident response firm, according to the company.
During that investigation, Okta determined a threat actor accessed a service account stored in the Okta customer support system. Security professionals at Okta discovered an employee had signed into their personal Google account on the Chrome browser of their Okta-managed laptop, which allowed the employee’s service account credentials to be saved in their personal Google account.
“The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device,” Bradbury said in the blog.
The identity and access management provider said it began an investigation on Sept. 29 after 1Password reported suspicious activity. Okta Security identified the unauthorized access of the employee’s service account via support system logs on Oct. 16.
The compromised service account and associated sessions were disabled on Oct. 17, but two days later Okta identified additional files downloaded by the threat actor, which included session tokens, according to Okta.
The company alerted all impacted customers on Oct. 19 and shared the root cause and remediation steps Nov 2. The threat actor has not been identified.
“We offer our apologies to those affected customers, and more broadly to all our customers that trust Okta as their identity provider,” Bradbury said.