In an updated disclosure last week, Okta acknowledged that their recent support system breach, detected and reported on by BeyondTrust, involved the theft of data from all Okta customer support system users potentially putting those users and customers at an increased risk of phishing and social engineering attacks. Okta had earlier stated they believed the breach to have impacted less than 1% of their customer support users.
This blog outlines the new information revealed in the latest disclosure, explains some of the key implications for Okta users, and explores how this breach is actually a mere symptom of a wider identity crisis.
Summary of what happened during the 2023 Okta Support Unit Breach
The support system breach, which occurred between September 28 and October 1, 2023, was initially detected and reported to Okta’s security teams by BeyondTrust on October 2nd, after BeyondTrust security teams detected an identity-centric attack on an in-house Okta administrator account. BeyondTrust’s Identity Security Insights tool, alongside other tooling, allowed our security teams to detect the attack. BeyondTrust blocked all access to the attacker, and verified that they did not gain access to any systems. Since the release of the updated disclosure, BeyondTrust has confirmed that there is no additional exposure to our internal systems or BeyondTrust’s customers, based on this information.
No known compromise or ongoing security incident was communicated by Okta until October 19th, when Okta confirmed that there had been a breach. In their public announcement on October 20th, Okta stated that an attacker had gained unauthorized access to the customer support system by leveraging stolen login credentials, obtained through an employee’s compromised personal Google account. By leveraging those stolen credentials, the attacker was able to hijack an Okta service account that had customer support system access , and had access to files belonging to 134 customers who had used the Okta customer support system.
The incident highlights the importance of carefully managing, controlling, and auditing service accounts. Because most service accounts are a special type of non-human privileged account, the best approach to tackling their security is two-fold: first, you need to identify and bring all accounts under centralized management using a solution like BeyondTrust Password Safe, which can discover every location throughout the network where a service account is referenced. Second, you need to implement an ongoing program based on automated onboarding and management of new accounts.
In the time between receiving the initial report of the breach and the disclosure on October 20th, Okta was actively investigating the incident, focusing on IDs that had accessed support cases during the period in question. BeyondTrust shared details of their detections and investigation with Okta, and in a post breach analysis blog, Okta said they used an IP that BeyondTrust had linked to the threat actor via their security solutions. It was through that IP address that Okta was able to identify what files were accessed:
“On October 13, 2023, BeyondTrust provided Okta Security a suspicious IP address attributed to the threat actor. With this indicator, we identified the additional file access events associated with the compromised account.
According to Okta’s initial post-breach investigation, the number of users impacted by the breach represented less than 1% of their customers. Since that time, Okta has continued their investigation, and last week discovered additional evidence that a report run and downloaded by the threat actor contained the names and email addresses of all 18,400 Okta customer support users, as well as some Okta employee information.
Okta also disclosed that "94% of Okta customers already require MFA for their administrators.” This means 6% of Okta customers don't have MFA enabled for administrators at all, this makes them very vulnerable. For the 94% who do require MFA, those who use weak MFA factors, such as push or SMS, may also still be at significant risk.
The only Okta users not impacted by the breach are customers in their FedRAMP and DoD IL4 environments, for whom Okta provides a separate support platform.
The new information reveals the attacker ran an automated query of the database in search of customer support system user data, including names, email addresses, company names, contact phone numbers, last login data, and last password changes. Okta has stated, however, that the report accessed by the attacker did not contain user credentials or other sensitive data:
“The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6 percent of users in the report, the only contact information recorded is full name and email address,” said David Bradbury, Okta’s Chief Security Officer.
What are the ongoing risks to Okta users following the breach?
Okta has stated they have no direct knowledge or evidence that the information obtained by the threat actor is being actively exploited yet, but warns of the high possibility that the stolen data will be used for phishing or social engineering attacks. Both Okta and BeyondTrust strongly recommended all customers implement phishing resistant multi-factor authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) for their administrator accounts.
Other recent Okta security breaches
The October support unit breach is one of several Okta-related security breaches, and the second major breach impacting Okta customer data in the past two years. Other high-profile breaches include:
- LAPSUS$ attack - In January of 2022, the hacker group LAPSUS$ was able to compromise Okta’s systems by gaining remote access to a machine belonging to an employee of Sitel, a third-party support provider subcontracted by Okta to provide customer service functions. However, Okta did not disclose the breach until months after the attack, when a member of Lapsus$ shared screenshots of Okta’s internal systems in a Telegram channel.
- Scattered spider attacks – This past year, there have been multiple reports of coordinated attacks against Okta customers, wherein a threat actor uses social engineering to attain access to “super admin” roles in Okta customer tenants. Once the attacker establishes access, they then leverage their compromise of highly privileged Okta super administrator accounts to abuse legitimate identity federation features, enabling them to impersonate users within the compromised organization.
To focus on raising the bar on security, Okta has announced it is implementing a 90-day delay to most product and feature launches, to prioritize security over shipping.
Security lessons from the latest Okta breach
Here are a few, key defensive steps that can help safeguard organizations from identity attacks, such as the ones used to breach Okta:
1. Monitor your identity fabric
Today, attacks can begin and end in your identity fabric—there is no longer any need for a server to be involved. Identity infrastructures have made it possible for attackers to move from on-prem to cloud and vice versa as well as laterally. Make sure you are monitoring for new accounts, privileges, IdPs, dormant account reactivation, and password and factory resets to help maintain insight across the whole of your identity fabric.
2. Prevent blurring between personal and work accounts
Give employees the ability to easily manage passwords without syncing data to their personal accounts, where it can much more easily get stolen. The important thing to remember here is to provide a good, frictionless security pattern for employees to follow before you disable the practices you want them to avoid. For instance, by leveraging group policy settings and workforce password management organizations can streamline and safeguard credential management for their employees.
3. Always keep administrative access top-of-mind
Know what the different identities are that can create risk for your organization’s security. Enforcing least privilege, such as by limiting your administrative accounts and hardening administrative access policies, is key. Just remember that it isn’t just the admin accounts you need to watch anymore; you need to be able to extend account monitoring and access management across your entire enterprise.
4. Ensure company-wide adoption of multi-factor authentication (MFA)
It should be a priority for organizations to implement MFA across the company for all identities—not just privileged accounts. Ideally, that implementation will be FIDO2, which creates a higher level of security, is phishing-resistant, and provides a better experience for users. With MFA, it’s important to have an iterative mindset—break your implementation into phases and stages, and think about the incremental milestones and smaller wins to help you roll out a more successful solution over the longer term. Focus on the most privileged accounts first. Those could be administrator accounts or simply people (like the C-level executives) who have a privileged position in the organization.
5. Review configurations, like the “Bind sessions to ASN” feature
MFA, while critically important, does still have some limitations. For example, all verified accounts are granted a session cookie behind the scenes. This can be stolen (session hijacking), allowing a threat actor to completely bypass the user authentication process. Okta recently enabled a new configuration to bind sessions to the ASN (your corner of the internet), reducing the risk of a stolen session being taken and replayed from a completely different location. As this isn’t enabled by default it’s important to review configurations and enable the features that can help keep your identity infrastructure secure.
Why the Okta breach is a symptom of a wider identity security crisis
While the super admins in Okta are making headlines now, they are really only one piece of the story. There is an entire identity ecosystem that needs to be safeguarded, which means it is vital to start thinking about how you are going to protect your organization. Identities, especially those with significant privileges, play a central role in today’s attacks. A rising number of identity security attacks are exploiting the gaps in visibility between Identity Access Management tools and traditional security tooling, and threat actors are focusing more on exploiting identities and using social engineering, instead of relying on exploits and malware. Defending your organization against today’s identity threats requires tools that can help you gain visibility and control of identities and privileges, reduce risk, and detect threats.
Laura Bohnert, Sr. Marketing Content & PR Manager
As a Sr. Marketing Content & PR Manager at BeyondTrust, Laura Bohnert applies a multifaceted, tech-centered marketing skillset to help drive SEO, blog, PR, and product marketing in support of BeyondTrust’s demand generation and sales enablement initiatives. She has a diverse background in product marketing, brand marketing, content writing, social media, event coordination, and public relations. Outside of the tech world, she has a passion for literature, with a BA, MA, and PhD Candidacy in English Literature, and she can either be found beekeeping, restoring her historic haunted house, or continuing her dissertation on the psychological interpretations of ghosts in gothic and horror fiction.