Okta has concluded its investigation into its recent data breach incident, concluding that it was – most likely – due to an employee storing their login credentials into their private Google profile in the Chrome browser and then logging in on a company endpoint.
In an announcement published on the Okta website, the company’s Chief Security Officer David Bradbury said the threat actor abused a service account that was stored in Okta’s system.
This account had permission to view and update customer support cases.
A handful of victims
“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury revealed. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”
In October, unidentified hackers broke into Okta’s customer support system, which gave them access to, among other things, client session cookies. With the help of these cookies, the attackers were able to bypass login screens and even multi-factor authentication (MFA) requirements.
The attack was first spotted by security experts from BeyondTrust, who were called in by one of their clients to inspect a hacking attempt that happened soon after an admin shared a browser recording session with Okta.
In total, Bradbury further explained, 134 Okta customers were affected by this incident, which is less than 1% of its entire user base. Of those 134, the attackers managed to use cookies to hijack legitimate Okta sessions in five instances, three of whom reported back to Okta.
To address the problem, Okta released session token binding based on network location, Bradbury concluded. “Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal.”