Okta defends 2-week gap in response to identity token theft, says 134 customers affected

Okta is defending its response to a recent security issue that caused alarm among several of the company’s customers, some of them prominent internet security brands.

In a new blog post on Friday, the identity management company said that from September 28, to October 17, a threat actor “gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.”

The post adds to what Okta had reported on October 20, in a warning that said hackers used stolen Okta credentials to access files uploaded by an undisclosed number of customers.

The new blog post said some of the files accessed were HTTP Archive (HAR) files, which track interactions between a website and a browser. These HAR files contained session tokens that could in turn be used for session hijacking attacks.

“The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers,” the company said, noting that three of the customers — password manager 1Password, access management firm BeyondTrust and internet security company Cloudflare — have already come forward with their own reports about what happened.

Okta went on to explain that it sourced the attack back to a service account in a customer support system. The service account was granted permissions to view and update customer support cases. The investigation found that an employee “had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop.”

“The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device,” Okta said.

Okta provided a timeline for its response to the issue, revealing that 1Password initially reached out on September 29 but Okta did not disable the compromised service account until October 17.

In addition to the warning from 1Password, BeyondTrust notified Okta of a similar issue on October 2.

In its own message about what happened, Cloudflare did not hold back in its criticism of how Okta handled the situation. Cloudflare said Okta needs to “take any report of compromise seriously and act immediately to limit damage.”

Cloudflare slammed Okta for allowing the hacker to stay in its systems from October 2 to October 17 despite being notified by BeyondTrust. Cloudflare also called for “timely, responsible disclosures” to customers after breaches are identified.

When pressed on this large time gap, Okta Chief Security Officer David Bradbury told Recorded Future News that the company began the investigation “immediately” after 1Password stepped forward.

“We suspected that 1Password was most likely the victim of malware or a phishing attack. These are the two most common methods that Okta Security sees related to session token theft, threat actors using malware such as RedLine Stealer or phishing kits that use transparent proxies such as EvilProxy,” he said.

“We met repeatedly with 1Password and BeyondTrust during that 14 day period to try to identify the compromise in partnership with them. Ultimately it took all of us that amount of time to investigate as their initial findings only got us so far in the investigation.”

In the blog post, Okta attributed the more than two-week time gap to the fact that it was not able to “identify suspicious downloads” in logs.

Okta said its initial investigation focused on access to support cases, where it examined logs linked to those cases. But the company later realized that the hacker was navigating its system in a different way that was generating “an entirely different log event with a different record ID.”

“On October 13, 2023, BeyondTrust provided Okta Security a suspicious IP address attributed to the threat actor. With this indicator, we identified the additional file access events associated with the compromised account,” Okta said.

The company said it has made several changes to its logging practices in an effort to address the missteps described and a spokesperson said all customers have been notified.

Okta faced backlash last year for its handling of another data breach involving several customers and the company’s CSO publicly apologized for the incident.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.