Okta: Breach Affected All Customer Support Users

When KrebsOnSecurity broke the news on Oct. 20, 2023 that identity and authentication giant Okta had suffered a breach in its customer support department, Okta said the intrusion allowed hackers to steal sensitive data from fewer than one percent of its 18,000+ customers. Okta revised that impact statement, saying the attackers also stole the name and email address for nearly all of its customer support users. Okta acknowledged last month that for several weeks beginning in late September 2023, intruders had access to its customer support case management system. That access allowed the hackers to steal authentication tokens from some Okta customers, which the attackers could then use to make changes to customer accounts, such as adding or modifying authorized users. In its initial incident reports about the breach, Okta said the hackers gained unauthorized access to files inside Okta's customer support system associated with 134 Okta customers, or less than 1% of Okta's customer base. In an updated statement published early this morning, Okta said it determined the intruders also stole the names and email addresses of all Okta customer support system users. "All Okta Workforce Identity Cloud and Customer Identity Solution customers are impacted except customers in our FedRamp High and DoD IL4 environments," Okta's advisory states. "The Auth0/CIC support case management system was also not impacted by this incident." Okta said that for nearly 97 percent of users, the only contact information exposed was full name and email address. That means about three percent of Okta customer support accounts had one or more of the following data fields exposed: last login; username; phone number; SAML federation ID; company name; job role; user type; date of last password change or reset. Okta notes that a large number of the exposed accounts belong to Okta administrators - IT people responsible for integrating Okta's authentication technology inside customer environments - and that these individuals should be on guard for targeted phishing attacks. "Many users of the customer support system are Okta administrators," Okta pointed out. "It is critical that these users have multi-factor authentication enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s)." While it may seem completely bonkers that some companies allow their IT staff to operate company-wide authentication systems using an Okta administrator account that isn't protected with MFA, Okta said fully six percent of its customers persist in this dangerous practice. In a previous disclosure on Nov. 3, Okta blamed the intrusion on an employee who saved the credentials for a service account in Okta's customer support infrastructure to their personal Google account, and said it was likely those credentials were stolen when the employee's personal device using the same Google account was compromised. Unlike standard user accounts, which are accessed by humans, service accounts are mostly reserved for automating machine-to-machine functions, such as performing data backups or antivirus scans every night at a particular time. For this reason, they can't be locked down with multifactor authentication the way user accounts can. Dan Goodin over at Ars Technica reckons this explains why MFA wasn't set up on the compromised Okta service account. As he rightly points out, if a transgression by a single employee breaches your network, you're doing it wrong. "Okta should have put access controls in place besides a simple password to limit who or what could log in to the service account," Goodin wrote on Nov. 4. "One way of doing this is to put a limit or conditions on the IP addresses that can connect. Another is to regularly rotate access tokens used to authenticate to service accounts. And, of course, it should have been impossible for employees to be logged in to personal accounts on a work machine. These and other precautions are the responsibility of senior people inside Okta.". Goodin suggested that people who want to delve further into various approaches for securing service accounts should read this thread on Mastodon. "A fair number of the contributions come from security professionals with extensive experience working in sensitive cloud environments," Goodin wrote.

This Cyber News was published on krebsonsecurity.com. Publication date: Thu, 30 Nov 2023 20:25:06 +0000


Cyber News related to Okta: Breach Affected All Customer Support Users

Okta: Breach Affected All Customer Support Users - When KrebsOnSecurity broke the news on Oct. 20, 2023 that identity and authentication giant Okta had suffered a breach in its customer support department, Okta said the intrusion allowed hackers to steal sensitive data from fewer than one percent of ...
11 months ago Krebsonsecurity.com
Using Falco to Create Custom Identity Detections - Recent months have witnessed a surge in attacks targeting popular identity providers like Okta, underscoring the critical need for timely and effective detection capabilities. Open-source Falco offers a Dedicated plugin for the Okta identity ...
11 months ago Feeds.dzone.com
Okta Breach Widens to Affect 100% of Customer Base - Thus, Okta is warning all of its customers to be prepared for similar phishing and social engineering cyber-scams. "Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering ...
11 months ago Darkreading.com
5,000 Okta employees' data accessed in a third-party breach The Register - Updated Okta has sent out breach notifications to almost 5,000 current and former employees, warning them that miscreants breached one of its third-party vendors and stole a file containing staff names, social security numbers, and health or medical ...
11 months ago Theregister.com
Okta Admits All Customer Support Users Impacted By Breach - Okta has revealed that an October security breach compromised all users of its customer support system rather than a small subset as previously thought. CSO David Bradbury said last month that only 134 customers were impacted after a threat actor ...
11 months ago Infosecurity-magazine.com
Okta Hack: Threat Actors Stolen all Customer Data - In a pivotal update to the Okta security incident divulged in October 2023, Okta Security has unearthed additional intricacies surrounding the unauthorized intrusion into its customer support system. This revelation holds profound implications for ...
11 months ago Cybersecuritynews.com
Okta says data leaked on hacking forum not from its systems - Okta denies that its company data was leaked after a threat actor shared files allegedly stolen during an October 2023 cyberattack on a hacker forum. Okta is a San Fransisco-based cloud identity and access management solutions provider whose Single ...
8 months ago Bleepingcomputer.com
OneLogin vs. Okta: Which IAM Solution Is Better? - OneLogin and Okta are two industry-leading identity and access management platforms used to secure user access to corporate resources and manage information about user identity. OneLogin and Okta are enterprise-grade IAM platforms offering security ...
8 months ago Techrepublic.com
Okta warns of credential stuffing attacks targeting its CORS feature - Okta warns that a Customer Identity Cloud feature is being targeted in credential stuffing attacks, stating that numerous customers have been targeted since April. Okta is a leading identity and access management company providing cloud-based ...
5 months ago Bleepingcomputer.com
Cloudflare publishes details of Thanksgiving security breach The Register - Cloudflare has just detailed how suspected government spies gained access to its internal Atlassian installation using credentials stolen via a security breach at Okta in October. In a write-up on Thursday, CEO Matthew Prince, CTO John ...
9 months ago Go.theregister.com
Cloudflare discloses breach related to stolen Okta data - Last fall, Cloudflare announced it mitigated an attempted cyberattack stemming from the infamous Okta breach. Cloudflare disclosed in a blog post that it had been breached by an unnamed nation-state threat actor using an access token and three ...
9 months ago Techtarget.com
Adobe Real-Time CDP: Personalized Customer Experience - Adobe Experience Cloud Products like Adobe Real-Time CDP are available to assist. A revolutionary solution called Adobe Real-Time Customer Data Platform was created to assist companies in realizing the whole value of their customer data. Adobe ...
10 months ago Hackread.com
Review: Top 5 For Outsourced Customer Service Solutions UK and Abroad - For companies that have too many phone calls and emails to keep up, it is very common to outsource your customer services, either domestically in the UK or abroad to the likes of India or The Philippines. An outsourced customer service firm can ...
4 months ago Itsecurityguru.org
Data Breach Response: A Step-by-Step Guide - In today's interconnected world, organizations must be prepared to respond swiftly and effectively in the face of a data breach. To navigate these challenges, a well-defined and comprehensive data breach response plan is essential. Let's explore the ...
9 months ago Securityzap.com
CVE-2021-42016 - A vulnerability has been identified in RUGGEDCOM i800 (All versions < V4.3.8), RUGGEDCOM i801 (All versions < V4.3.8), RUGGEDCOM i802 (All versions < V4.3.8), RUGGEDCOM i803 (All versions < V4.3.8), RUGGEDCOM M2100 (All versions < ...
1 year ago
CVE-2021-42017 - A vulnerability has been identified in RUGGEDCOM i800 (All versions < V4.3.8), RUGGEDCOM i801 (All versions < V4.3.8), RUGGEDCOM i802 (All versions < V4.3.8), RUGGEDCOM i803 (All versions < V4.3.8), RUGGEDCOM M2100 (All versions < ...
1 year ago
Tech Security Year in Review - In this Tech Security Year in Review for 2023, let's look into the top data breaches of the past year. Each factor contributes to the growing threatscape, demanding a proactive and adaptable cybersecurity approach to safeguard your organization ...
10 months ago Securityboulevard.com
CVE-2007-2850 - The Session Reliability Service (XTE) in Citrix MetaFrame Presentation Server 3.0, Presentation Server 4.0, and Access Essentials 1.0 and 1.5, allows remote attackers to bypass network security policies and connect to arbitrary TCP ports via a ...
7 years ago
E-commerce Security: Protecting Customer Data - In today's digital landscape, ensuring the security of customer data in e-commerce is a crucial concern for businesses. Protecting e-commerce data security is a complex task that requires a comprehensive understanding of the challenges faced by ...
9 months ago Securityzap.com
The Rise of Digital Customer Experience - Digital customer experience is a hot topic these days. In all seriousness, digital customer experience is one of the most important differentiators for your business. At its core, DCX is about the customer journey-a guided path for your customers to ...
11 months ago Feedpress.me
CVE-2021-37209 - A vulnerability has been identified in RUGGEDCOM i800 (All versions < V4.3.8), RUGGEDCOM i801 (All versions < V4.3.8), RUGGEDCOM i802 (All versions < V4.3.8), RUGGEDCOM i803 (All versions < V4.3.8), RUGGEDCOM M2100 (All versions < ...
1 year ago
CVE-2024-38867 - A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.64), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions < V9.64), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) ...
4 months ago
Week in review: PoC for Splunk Enterprise RCE flaw released, scope of Okta breach widens - Vulnerability disclosure: Legal risks and ethical considerations for researchersIn this Help Net Security interview, Eddie Zhang, Principal Consultant at Project Black, explores the complex and often controversial world of vulnerability disclosure in ...
11 months ago Helpnetsecurity.com
CVE-2021-31895 - A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions < V4.3.7), RUGGEDCOM ROS M2200 (All versions < V4.3.7), RUGGEDCOM ROS M969 (All versions < V4.3.7), RUGGEDCOM ROS RMC (All versions < V4.3.7), RUGGEDCOM ROS RMC20 ...
3 years ago
CVE-2022-45044 - A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.50), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions < V9.50), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) ...
8 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)