More details are now available about last month’s Okta security breach that impacted the likes of Cloudflare and 1Password, and as it turns out they were among a tiny handful of customers that actually saw the hackers attempt follow-up breaches using stolen credentials.
Of the company’s over 18,000 clients, just 134 had files accessed. It appears that either only five had exploitable session tokens in the customer service files that the hackers came upon, or the attackers were only interested in the biggest names among the impacted group. Whatever the case, the total impact of the Okta security breach appears to have been minimal but has also added to an ongoing string of incidents for the company.
Okta dealing with two security breaches at once
There were actually two Okta security breaches taking place nearly simultaneously in October; the one involving session access tokens taken directly from the company’s customer service department, and another at a third-party health insurance contractor that led to the loss of thousands of records of sensitive employee data.
The breach of vendor Rightway Healthcare appears to be the more serious of the two at the moment, with around 5,000 employee records taken that include Social Security numbers and insurance information. The impacted records are from between April 2019 and the remainder of 2020.
The Okta security breach covered by this report involved the theft of HAR files used by the company’s customer service system. These are compressed archives of client web activity that are used for IT troubleshooting purposes, but can end up including authentication tokens (as apparently happened with at least five of Okta’s clients).
As to how the breach happened, it appears to have been user error. An Okta employee was apparently logging into their personal Google profile on a managed company computer and had stored their username and password in the Chrome browser; the attacker likely compromised their device directly through some other means and came upon the credentials, or they may have compromised the Google account somehow.
Okta security breach hit small collection of customers
The Okta security breach began on September 28, with the first reports of suspicious activity from a customer (1Password) coming in on September 29. The joint investigation lasted several days, during which time BeyondTrust also reported similar activity. Cloudflare and two other unnamed companies also reported breach attempts connected with credentials taken from Okta.
Okta has addressed the issue by preventing employees from accessing their Google profiles on company managed devices, making improvements to the security monitoring of its customer support system, and putting new restrictions on administrator authentication.
Cloudflare and Beyond Identity have each created “HAR sanitizers” that are free to the general public. The greater risk to organizations likely comes from phishing attempts that target Okta credentials, however, something that high-level criminal hackers have been heavily targeting over roughly the past year.