Behind the Headlines: A Technical Analysis of the Okta Breach

Today’s threat landscape forces businesses to stay up to date and informed of recent breaches and exploits. The recent security breach discovered by Okta has reinforced the need for companies to re-evaluate their third-party risk exposure more closely. Unfortunately, this recent Okta data breach is just another compromise uncovered among the latest of several previous breaches that have adversely impacted clients of the company.

In this post, we'll look at the details of past Okta security issues, how stolen credentials were used in the breach, the impacts of the security breach on digital supply chains, and steps organizations can take that would have prevented further security incidents from the data breach.

This in-depth analysis provides an understanding of the underlying mechanisms at play with a breach of this scale supporting businesses and their security teams with more proactive measures and strategies to decrease their third-party risk exposure. 

Okta’s Role and Previous Company Security Breaches

Okta is an identity and access management (IAM) platform that is used by many companies throughout the world. Essentially, the company provides a cloud-based software as a service (SaaS) solution to organizations for their identity and access management security needs.

Okta helps businesses manage and secure their user authentication by building identity controls into applications, websites, web services, and devices. These identity controls can include single sign on (SSO) integrations, multifactor authentication (MFA), universal user directories, user lifecycle, and API access management capabilities.

Although there has been a greater need for IAM solutions in the security space to further protect organizations, the recent Okta breach is not the first in the company’s history. In January of 2022, the company disclosed that they had been a victim of a cyberattack from the data extortion cybercrime group called Lapsus$.

In the previous attack on Okta, hackers compromised a laptop of one of its support engineers that was able to initiate password resets for customers impacting nearly 375 customers from the breach. Additional attempted attacks on the organization include having source code stolen from GitHub repositories and MFA passcodes compromised in a Twilio cyberattack.

Stolen Credentials Led to the Latest Okta Breach

In the most recent Okta security breach, stolen credentials were discovered to be the primary pathway that gave the threat actors advantage in the attack. With those stolen credentials, hackers were able to then gain unauthorized access to the internal Okta client support management system. They were then able to view and access internal client files that contained client support session tokens and cookies. 

As stated by the company’s Chief Security Officer (CSO) David Bradbury in a company press release on the breach, “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0/CIC case management system is not impacted by this incident.”

The company advised in the release that impacted customers were to be notified of potential exposure in the breach. The exact tactic the threat actors used to extort client data and where the stolen credentials were acquired from has not been officially disclosed by Okta.

Along with the unauthorized access via stolen credentials, hackers were also able to view recent support files uploaded via the HTTP archive (HAR) files. These files are primarily used by the company’s support team to replicate customer browser activity during software troubleshooting sessions.

Additionally, the HAR files exposed may have included sensitive client data including support session tokens and cookies. These tokens and cookies could then be used to further exploit clients by user impersonation and unauthorized access to their systems based on the HAR support files exposed.

Breaches such as these can be a significant issue for customers of Okta given that support sessions may have contained confidential company data that could be further misused by attackers. By doing this threat actors can further exploit client data to move deeper into the third-party supply chain and expose more sensitive information for their own gain.

Impact of the Okta Breach on Digital Supply Chains

Third-party security solutions and vendors are often relied upon by numerous companies to support their security needs. This creates a digital supply chain for their organization, which if not safeguarded properly, can increase the threats and risks to that organization. Although Okta claims their customer support case management system is separate from production Okta services, the breach poses a risk to Okta's customers and their broader digital supply chain.

Once a breach has been discovered within the digital supply chain, it’s important for organizations to work diligently to minimize their own direct impact from it. Otherwise, this can increase the threat exposure to other companies outside of the initial attack on Okta.

Below are several companies that have released information regarding their company impacts from the recent Okta security breach.

• 1Password - this popular password manager provider stated that they experienced a security incident related to the Okta breach. The organization discovered the incident after hackers gained access to its Okta ID management tenant. The company stated in a recent blog post about the incident that,” On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”
• BeyondTrust - this identity management company advised they had been a victim of a security incident now uncovered to be tied to the Okta security breach. The company’s security team identified and denied an attempt to log into an in-house Okta administrator account on October 2 using a cookie stolen from Okta's support system. Although they were able to thwart an unauthorized access attempt to their system, it still took several weeks for the incident to be tied to the Okta breach. 
• Cloudflare - this leading website and application security provider announced that they had experienced a security incident connected to the Okta breach. In fact, Cloudflare actually notified Okta of the breach. In a statement released on the company blog, “we discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance.” The company’s security and incident response team was able to mitigate this attempted attack due in part to their real-time detection and response which contained the incident from further impact. In response to the breach, Cloudflare created a HAR sanitizer tool to remove session data prior to sharing the files. Although HAR files are far from the the only attack vector people should be worried about.

The recent security breach is still being monitored as more customers impacted are releasing statements related to the Okta attack. Okta is facing damaging impacts to both their business reputation and their stock profile to shareholders as details and impacted customers continue to come forward about the breach. The impacts to clients of this recent Okta breach goes to show the increased need to ensure organizations fortify their digital supply chain with third-party providers.

5 Steps That Would Have Prevented the Okta Breach

Data breaches are more commonly heard of than ever before. Security incidents, like the Okta breach, reinforce to companies the importance of securing the digital supply chain from attacks. Below are five valuable steps that organizations can implement that protects them against supply chain attacks like the Okta breach. These steps likely would have prevented the impacts to clients of Okta. 

1. Establish security policies and controls within Okta to restrict access to the administrative console.
2. Enable MFA for all user accounts enforcing it for each sign-on. This should be done in general for all internal user accounts but more specific to the Okta breach it should be done in the Okta global session policy. By taking this step, attackers with stolen cookies will be prevented from accessing the dashboard.
3. Monitor for any newly created and reactivated Okta users along with ensuring all sessions have valid authentication associated with them. It's important to also monitor for any account and user permission changes, any MFA changes that can bypass authentication, and providers within your supply chain accessing your tenants without permission. 
4. Review session expiration parameters to mitigate session hijacking attacks.
5. Investigate and report on any suspicious activity both within the Okta environment and your company’s systems for possible breaches.

How Soteri Supports Your Digital Supply Chain

A company’s digital supply chain can create a lot of opportunities to streamline operations more successfully. However, that same digital supply chain can also be your biggest risk against cyberattacks. This is where implementing solutions like Soteri’s secret scanning for Bitbucket, Jira, and Confluence can help prevent leaks in your digital supply chain from impacting your organization.

Breaches like the one that occurred within the Okta platform can create a great deal of disruptions to the digital supply chain and also compromise your systems as well. Given that these types of breaches are all too common these days, we've added attachment scanning capabilities to our product offerings. This feature can be used to detect and help mitigate issues like the exposed HAR files in the Okta security breach.

Attachment scanning will scan for this exact kind of issue (such as customer data attached to support tickets in Jira) and prevent sensitive information from being exposed externally. Ready to get started? Book a demo with us today.