Okta says hackers used stolen credentials to view customer files

Hackers used stolen Okta credentials to access files uploaded by an undisclosed number of customers, the identity management company said Friday.

Okta Chief Security Officer David Bradbury published a notice explaining that the company “identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system.”

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted,” he said.

“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens.”

All of the customers affected by the incident have already been notified, and Okta did not respond to requests for comment about how many were involved.

Okta explained that the data accessed related to HTTP Archive (HAR) files, which track interactions between a website and a browser. Okta support typically asks customers to upload HAR files when troubleshooting issues. The files replicate browser activity and can contain “sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”

Okta suggested that any HAR files being shared should be “sanitized” of all credentials and cookies/session tokens.

The company shared indicators of compromise in case there are customers who want to check if they were exposed in the attack.

A spokesperson for the security company BeyondTrust contacted Recorded Future News to say they discovered the attack on October 2 when they detected an incident involving an in-house Okta administrator account.

“BeyondTrust immediately detected and remediated the attack through its own identity tools, Identity Security Insights, resulting in no impact or exposure to BeyondTrust’s infrastructure or to its customers,” the spokesperson said.

“The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by its customers.”

The company published a blog about its findings, explaining that after discovering the issue, it approached Okta on October 3 for a more in-depth examination of the issue. They held a Zoom meeting with the company on October 11, as well as two days later. On October 19, Okta confirmed to affected customers that an internal breach had occurred and that BeyondTrust was one of their affected customers.

Okta is a major Single Sign-On provider that allows people to use one account to log into multiple digital services. It is used by several of the world’s biggest companies and governments across the globe.

The company faced backlash last year for its handling of another data breach involving several customers. Company CSO Bradbury publicly apologized for the incident.