Okta is having a rough 2023. In late August, they warned the industry against social engineering attacks that target privileged users to gain elevated permissions. Two months later, they disclosed a breach by unidentified threat actors, believed to have been perpetrated via social engineering. At first, Okta said that the breach only impacted 134 customers. But today, the company revealed that it has found “additional threat actor activity”––the upshot of which is that all Okta customer support system users have had their names and email addresses leaked to the hackers.
How did we get here? Let’s look back at the timeline.
August 31, 2023: Okta Warns of Social Engineering Attacks on Privileged Users
On August 31, Okta’s Defensive Cyber Operations (DCO) team posted a threat brief titled “Cross-Tenant Impersonation: Prevention and Detection”. In it, they explain a recent attack they had observed, in which a threat actor leveraged social engineering techniques to gain privileged access to an Okta customer organization.
The strategy was simple, in theory: the attacker convinced service desk personnel to reset the multi-factor authentication (MFA) factors that had been enrolled by highly-privileged users (think IT admins and the like).
Once they had compromised these “Super Administrator” accounts, the attackers used their high privilege level to impersonate those legitimate users.
At the time, Hacker News reported that Okta recommended their customers take several countermeasures, including:
- Enforce phishing-resistant authentication
- Strengthen help desk identity verification processes
- Enable new device and suspicious activity end-user notifications
- Review and limit the use of Super Administrator roles
October 20, 2023: Okta Discloses a Support System Breach, Exposing Customer Data
Not long after they warned against social engineering threats targeting Okta customers, Okta themselves became the victim. On October 20, the company disclosed that they had been breached by “unidentified threat actors”. The attack was first detected by 1Password, an Okta customer, who notified Okta on September 29. BeyondTrust and Cloudflare, also Okta customers, said that they had detected similar incidents and notified Okta of such.
As it turned out, the attackers had used stolen login credentials to gain access to an Okta support account. Then, they used this access to steal cookies and access tokens into customer accounts. Finally, they used these tokens to compromise those accounts.
“For a critical security service provider like Okta, we believe following these best practices is table stakes.”
Initially, it wasn’t exactly clear how bad the breach was. But the optics were bad–really bad. A group of Cloudflare engineers posted a blog article titled, “How Cloudflare mitigated yet another Okta compromise.” Ouch. The engineers were quick to point out that this was actually the second time Cloudflare had been affected by a breach of Okta. They also listed several “best practices” that they recommended Okta implement—actions they described as “table stakes”.
The press took the story and ran with it, as well. Wired ran an article that called out Okta’s security failures. And CNBC reported at the time that the hack had wiped out over $2 billion from Okta’s market cap. But the worst was yet to come.
November 4, 2023: Okta Says Their Customer Support Breach Impacted 134 Customers, As Employee Information Is Exposed in A Separate Breach
In early November, Okta shared the results of their initial forensic analysis of their October 20 breach. Initially, the company said that the incident affected 134 of their 18,400 customers. At the time, it seemed like the incident–bad as it was–was relatively contained.
At the same time, however, Okta’s own employees discovered that their personal information had been exposed in an entirely different breach at Rightway Healthcare. Rightway, which provided healthcare coverage for Okta employees and their families, had been breached on September 23. The threat actors had accessed a file which contained:
- Full names
- Social security numbers (SSNs)
- Health or Medical insurance plan number
Nearly 5,000 current and former Okta employees were affected.
November 29, 2023: Okta Discloses a Broader Impact Linked to October Breach
All of which brings us to today. On November 29, 2023, Okta disclosed that the scope of their October breach was much larger than initially thought.
In fact, the threat actor downloaded a report that included information about all Okta customer support system users. In addition, the attackers are believed to have accessed some contact information of all Okta certified users, some Okta Customer Identity Cloud (CIC) customers, and “unspecified” Okta employee information.
According to David Bradbury, Okta’s Chief Security Officer, the report that the attackers downloaded contained the following fields:
However, Bradbury says that, “For 99.6% of users in the report, the only contact information recorded is full name and email address.”
“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users.”
Hacker News reports that Okta has warned all of their customers about potential phishing and social engineering risks. Indeed, social engineering seems to be a common thread running through many recent attacks. In his update post on Okta’s security blog, Bradbury says that it’s critical for all Okta admin users to have multi-factor authentication (MFA) enabled. He also recommends that all Okta customers consider the use of “phishing-resistant authenticators”.
To date, the identity of the latest Okta attackers is not known. However, there are some similarities between the attacks and the tactics employed by the notorious hacker group Scattered Spider. Scattered Spider has breached numerous high-profile companies over the past months, including Clorox, who saw a 28% drop in sales as a result of the attack.
Earlier this year, Scattered Spider successfully breached MGM Resorts, costing the company $100 million. The attackers later released a statement saying that they had compromised MGM’s Okta super administrator accounts. A similar attack targeting Caesars Entertainment, another Okta customer, resulted in a $15 million ransom payment. Shortly after the attacks, Bradbury recommended that companies add a “visual verification” step at the help desk for users with high access privileges.
Okta Breach Timeline
2023’s breaches are not the first for Okta. The company has experienced several data breaches over the past couple of years affecting everything from customer data to their own source code.
- December 2022: Okta’s source code stolen after their GitHub repositories were hacked.
- September 2022: older source code repositories stolen from Okta-owned Auth0
- March 2022: Lapsus$ reveals that they breached Okta’s systems by gaining “superuser/admin” privileges. The hacker group posted screenshots of Okta’s backend administrative consoles and some customer data. Okta’s investigations initially indicate ~2.5% of their customers were affected, but later found that the breach affected only two customers. They also apologized for delaying their disclosure of the attack.
- August 2023: Okta warns their customers to be on guard against social engineering attacks targeting service desk personnel
- October 2023: Okta discloses a breach by an attacker who used stolen login credentials to access Okta support account, then leveraged these credentials to access Okta customer accounts
- November 2023: After initially saying the breach impacted 134 customers, Okta reveals that the attackers downloaded names and emails of all Okta customer support systems users. Also affected are all Okta certified users, some Okta Customer Identity Cloud (CIC) customers, and “unspecified” Okta employee information
What Okta Customers Should Do to Protect Themselves
Okta’s breaches highlight a fundamental truth about cybersecurity: no single factor is safe, and humans are always the weakest link. The proliferation of social engineering attacks proves this. Attackers know that IT help desk and support employees are vulnerable.
Security professionals and software companies are full of recommendations as to how you should protect yourself. Some are better than others—for example, MFA is better than no-MFA, but tokens sent via SMS or email are notoriously easy to intercept. In fact, any authentication method that relies on devices, knowledge (security questions), or human judgment is inherently vulnerable.
Okta’s CSO was on to something when he recommended adding a “visual verification” step to any help desk function that involves admin-level functions and users. But video verification via Zoom call is far too complicated and time-consuming. The real answer is to use an automated visual verification solution like Nametag for fast, secure identity proofing. By surrounding your IAM and MFA implementations with visual verification, you can quickly add a high-security layer that’s purpose-built to stop social engineering attacks in their tracks.