Unidentified hackers recently broke into Okta and stole client session cookies, potentially gaining access to those companies’ networks and potentially infecting the endpoints with malware and ransomware.
The company confirmed the news in an email blog post written by Chief Security Officer David Bradbury, who confirmed that outsiders had managed to obtain login credentials for Okta’s support case management system.
By logging into the tool, they could view browser recording files that Okta customers had uploaded to troubleshoot issues. These recordings, as explained, often contain website cookies and session tokens – every hacker’s holy grail, as these allow them to bypass not only the login screen, but also multi-factor authentication (MFA).
Customers notified
Whoever hacked Okta really did try to compromise one of its customers, it was later said, when security firm BeyondTrust was recently called in by one of its customers to inspect a hacking attempt that took place shortly after an administrator oversaw a browser recording session with Okta had shared.
According to Mark Maiffret, CTO of BeyondTrust, the attacker used a session token from the uploaded browser recording session and created a new administrator account. The attack “was a result of Okta’s support system being compromised, allowing an attacker to gain access to sensitive files uploaded by their customers.”
We don’t know exactly how many Okta customers were affected by the breach. The company spokesperson said this TechCrunch the incident affected approximately 1% of the user base. As of March 2023, Okta said it served approximately 17,000 customers. It is still unknown how the attacker obtained the credentials for the Okta support management system. Okta notified affected companies and brought the incident under control on October 17.
Okta is an access and identity services provider that offers several identity management tools, including Single Sign On.
Through TechCrunch