Okta has blamed a recent hack of its support system on an employee who logged into a personal Google account on a company-operated laptop, exposing information that led to the theft of data from many of Okta’s customers.
David Bradbury, Okta’s chief security officer, said in a brief post-investigation process that the breach, which targeted hundreds of Okta customers including cybersecurity firms BeyondTrust and Cloudflare, was “the most likely path.”
From September 28, 2023 to October 17, 2023, we can confirm that a threat actor gained unauthorized access to files in Okta’s customer support system connected to 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens, which in turn could be used for session hijacking attacks, Bradbury said in a memo detailing the incident’s timeline.
The threat actor claims to have been able to hijack the legitimate Okta sessions of five customers using these session tokens.
Bradbury said the hackers used a service account stored in the system itself, which authorized them to view and update customer support issues.
“During our investigation into the suspicious use of this account, Okta Security discovered that an employee logged into their personal Google profile on a Chrome browser on an Okta-managed laptop. The service account username and password are stored in the employee’s personal Google account.
“The most vulnerable way to this credential is a breach of an employee’s personal Google account or personal device.”
Bradbury said internal controls failed to detect the breach. “For 14 days, while actively investigating, Okta did not detect any suspicious downloads in our logs. When a user opens and views files associated with a support container, a specific log event type and ID is generated tied to that file. As a user did in this attack, the threat actor If it went directly to the files tab in the customer support system, it would instead create a completely different log event with a different record ID.
Okta’s chief security officer said his team’s initial investigations focused on finding support issues, which later changed dramatically after BeyondTrust shared suspicious IP addresses attributed to the malicious actor.
“With this indicator, we have identified additional file access incidents associated with compromised accounts,” Bradbury explained.
Okta has been in the crosshairs of several hacking groups targeting its infrastructure to break into third-party organizations.
In September, Okta said a sophisticated hacking group targeted IT service desk employees in an attempt to persuade them to reset multi-factor authentication (MFA) for high-privileged users at the target organization.
In that attack, Okta said the hackers used new lateral movement and defensive evasion techniques, but did not share any information about the threat actor himself or his ultimate goal. Although it is not clear if there is a connection, many of Okta’s customers were targeted last year in a financial cybercrime campaign called 0ktapus.
Related: Okta support system hacked, sensitive customer data stolen
Related: Okta says US customers have been targeted by sophisticated attacks.
Related: Okta confirmed that the source code was stolen by hackers
Related: Microsoft, Okta confirm data breaches with hacked accounts
Related: Okta Closes Lapsus$ Breach Investigation, Adds New Security Controls