Okta Pwned…. Source Code Stolen

Bleeping Computer is reporting that threat actors have managed to hack into Okta’s private GitHub repositories and swipe source code:

BleepingComputer has obtained a ‘confidential’ security incident notification that Okta has been emailing to its ‘security contacts’ as of a few hours ago. We have confirmed that multiple sources, including IT admins, have been receiving this email notification.

Earlier this month, GitHub alerted Okta of suspicious access to Okta’s code repositories, states the notification.

“Upon investigation, we have concluded that such access was used to copy Okta code repositories,” writes David Bradbury, the company’s Chief Security Officer (CSO) in the email.

Despite stealing Okta’s source code, attackers did not gain unauthorized access to the Okta service or customer data, says the company. Okta’s “HIPAA, FedRAMP or DoD customers” remain unaffected as the company “does not rely on the confidentiality of its source code as a means to secure its services.” As such, no customer action is needed.

At the time of writing our report, the incident appears to be relevant to Okta Workforce Identity Cloud (WIC) code repositories, but not Auth0 Customer Identity Cloud product, given the email wording.

Well, given that Okta provides authentication services and Identity and Access Management services to major companies around the world, this isn’t good. Neither is the fact that this isn’t the first time that Okta has been pwned. Craig Burland, CISO of Inversion6 had this to say:

This continues an awful year for Okta in terms of cybersecurity, adding to high-profile issues in March and September.  While these events appear to be disconnected, it seems possible that the breaches could be part of a larger event, foreshadowing a significant supply chain attack for organizations reliant upon Okta for identity and access services.

As an Okta customer, I would be worried about three things: 1) Is there a fundamental problem with how Okta is managing their environments?  2) Has the Okta platform been somehow compromised that would threaten my operation?  3) What, if anything, can I do quickly to minimize or mitigate the risk to my organization?

How Okta responds to this event and reassures its customers will set the tone for 2023 and may be telling about Okta’s future as the premier provider in this space.

At this point, seeing as Okta can’t secure itself, you have to wonder if they can secure their customers. Because I am questioning that at this very moment.

Leave a Reply

%d bloggers like this: