You might recall that Okta’s support systems were pwned by hackers. That led to Okta customers getting pwned shortly thereafter. Well, you won’t believe how Okta got pwned. Here’s the details:
The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases. During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.
That’s not good from a specific point of view. More on that in a second. Anurag Gurtu, Chief Product Officer at StrikeReady had this to say:
“The recent security breach at Okta serves as a stark reminder of the potential vulnerabilities that can arise from seemingly innocuous practices, like using personal accounts on company devices. This incident underscores the critical need for organizations to reinforce their cybersecurity policies and ensure that employees are fully aware of the risks associated with mixing personal and professional digital activities.
It’s also a call to action for companies to continuously monitor and manage access privileges, and to deploy multi-layered security measures that can detect and mitigate unauthorized access promptly. Effective cybersecurity is not just about having the right tools; it’s about instilling the right discipline and awareness at every level of the organization. As we assist our clients in navigating their cybersecurity landscape, incidents like these are invaluable learning opportunities to fortify their defenses and prepare for the inevitability of human error.”
Okta said the breach impacted 134 customers, representing less than 1% of all their customers. Not that it matters because one customer who was affected by this is one too many. But to me, it really feels that Okta is throwing the employee under the bus here for having a support system that was clearly vulnerable to attack. Honestly, I think Okta needs to do better here for themselves, and more importantly their customers.
Remember The Okta Hack Where They Explained It Only Impacted 1% Of Customers? It Was Actually 100% Of Customers.
Posted in Commentary with tags Okta on November 29, 2023 by itnerdOkta has released a new statement in relation to that hack that they had a while ago. At the time, they said it only affected 1% of customers. Well, that statement that I referred to one sentence ago says something different:
We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.
The threat actor ran a report on September 28, 2023 at 15:06 UTC that contained the following fields for each user in Okta’s customer support system:
The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address.
Okta has around 18,000 customers according to the company’s website. So that’s a major problem for Okta. And an equally major problem for any Okta customer. And the fact that there’s no credentials in this report that the threat actors ran is irrelevant. A threat actor could still use this information to launch phishing attacks against any Okta customer to pwn them. Even if only 1% of those customers get pwned via a phishing attack or some other attack, it’s 1% too many.
Now to be fair, Okta does suggest the following mitigations be implemented ASAP:
We recommend all customers immediately take the following actions to defend against potential attacks that target their Okta administrators.
While all of this is good advice, it doesn’t change the fact that this event really reflects poorly on Okta and I am not sure how any Okta customer could ever trust the company again. Which means that Okta really has to explain why customers should trust them going forward. And they need to do it fast.
Leave a comment »