Okta Gets Pwned…. And The Downstream Effects Of That Are Starting To Be Felt

On Friday, Okta disclosed a hack of its support systems.Here’s what Okta had to say about that:

The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.

Note: All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.

Now Okta has had a rough time of it lately as its products have been implicated in a number of high profile hacks. That would include a spate of intrusions at casinos that crippled Las Vegas hotel rooms for days. The MGM hack is an example of this along with the Caesar’s hack. But the hack of Okta itself has had significant downstream effects. 1Password it turns out was affected by this hack:

On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.

Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s Support System breach.

See our internal Okta Incident Report for additional details.

Cloudflare was also affected by this hack:

On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance. While this was a troubling security incident, our Security Incident Response Team’s (SIRT) real-time detection and prompt response enabled containment and minimized the impact to Cloudflare systems and data. We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response. Okta has now released a public statement about this incident.

This is the second time Cloudflare has been impacted by a breach of Okta’s systems. In March 2022, we blogged about our investigation on how a breach of Okta affected Cloudflare. In that incident, we concluded that there was no access from the threat actor to any of our systems or data – Cloudflare’s use of hard keys for multi-factor authentication stopped this attack.  

Ken Westin, Field CISO, Panther Labs had this to say:

Okta is a prime target for attackers and by compromising their systems, they seek to gain access to their customer’s infrastructure and data. The pivot to 1Password should be a wake-up call for organizations to ensure they are monitoring Okta logs, as well as other identity and password applications.

Clearly Okta needs to do some work here as it’s bad enough that Okta gets hacked. It’s worse that its customers are also affected by said hack. Thus Okta and companies that provide similar services need to get their collective acts together to maximize their security or we are all in very deep trouble.

2 Responses to “Okta Gets Pwned…. And The Downstream Effects Of That Are Starting To Be Felt”

  1. […] might recall that Okta’s support systems were pwned by hackers. That led to Okta customers getting pwned shortly thereafter. Well, you won’t believe how […]

  2. […] has released a new statement in relation to that hack that they had a while ago. At the time, they said it only affected 1% of customers. Well, that statement that I referred to […]

Leave a Reply

%d bloggers like this: