Unidentified hackers recently broke into Okta and stole client session cookies, potentially giving them access to those companies’ networks, and potentially infect the endpoints with malware and ransomware.
The company confirmed the news in a blog post written by its Chief Security Officer David Bradbury, who confirmed outsiders had managed to get hold of login credentials for Okta’s support case management system.
Logging into the tool, they were able to view browser recording files that Okta’s customers uploaded for troubleshooting. These recordings, as explained, often include website cookies and session tokens – every hacker’s holy grail as it allows them to bypass not just the login screen, but multi-factor authentication (MFA), too.
Customers notified
Whoever hacked Okta really did try to compromise one of its clients, it was later said, as security firm BeyondTrust was recently called in by one of its clients to inspect a hacking attempt that happened soon after an admin shared a browser recording session with Okta.
As per BeyondTrust’s CTO Mark Maiffret, the attacker used a session token from the uploaded browser recording session and created a new admin account. The attack “was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers.”
We don’t know exactly how many of Okta’s customers were affected by the breach. The company’s spokesperson told TechCrunch the incident affected roughly 1% of its userbase. In March 2023, Okta said it services around 17,000 customers. It’s still now known how the attacker obtained the credentials to the Okta support case management system. Okta notified the affected firms and contained the incident on October 17.
Okta is an access and identity service provider, offering different identity management tools including Single Sign On.
Via TechCrunch
