Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Okta. Show all posts

Okta: October Data Breach Impacts All User Across Customer Support Systems

Okta

The latest investigation

Okta’s recent investigation into the exploit of its Help Center environment in October disclosed that the threat actors stole the data that belonged to all customer support system users. Okta mentioned that the hackers also stole extra reports and support cases with contact info for all contact of all certified Okta users. 

“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident,” mentioned Okta

Hackers gain unauthorized access

Early in November, the company announced that a threat actor had obtained unauthorized access to files within its customer support system, indicating a small data breach. 

Based on facts revealed at the time, the hacker acquired HAR files containing cookies and session tokens for 134 clients - fewer than 1% of the company's customers - which might be used to disrupt legitimate users' Okta sessions.

Let us take a deep dive into the incident 

A deeper look into the incident found that the threat actor also "downloaded a report that contained the names and email addresses of all Okta customer support system users."

Okta, on the other hand, adds that the only contact information accessible for 99.6% of the users identified in the study was their full name and email address. Okta ensured that no credentials had been compromised.

According to Okta's announcement, most exposed users are administrators, and 6% have not enabled multi-factor authentication security against fraud login attempts.

According to Okta, the hackers also obtained data from "Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts" and Okta personnel information.

A lot of the time, names and email addresses are sufficient for a hacker to carry out phishing or social engineering scams that may act as espionage or help them collect more information to construct a more sophisticated attack.

Okta recommends the following measures to protect against potential attacks:

  • Implement multi-factor authentication (MFA) for admin access, preferably utilizing phishing-resistant technologies such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
  • Configure admin session binding to make new IP addresses require re-authentication for admin sessions.
  • As per NIST recommendations, set up admin session timeouts to a limit of 12 hours with a 15-minute idle time.
  • Raise phishing awareness by being alert to phishing efforts and reinforcing IT Help Desk verification processes, particularly for high-risk behaviors.

“We also identified additional reports and support cases that the threat actor accessed, which contain the contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data,” wrote Okta in a statement. 

Over the previous two years, Okta has been the victim of credential theft and social engineering attacks, with attackers gaining access to source code from the company's private GitHub repositories last December.


Okta Data Breach Highlights Hackers' Untapped Gold Mine


The recent data breach at tech firm Okta has drawn attention to the risks associated with not protecting data that is rarely given top priority in terms of security, records customer service. 

The help desk system, which is used by some of the largest companies in the world, such as FedEx and Zoom, is accessed by hackers using a password that was stolen, according to a statement released by Okta on October 20. Okta provides software that other businesses use to manage login accounts. The attack on Okta, which has already cost the company $2 billion in market valuation, has the potential to spread into a more serious issue because this data occasionally contains files that can be used to secretly access the systems of Okta clients.

There are already indications of this happening. On Monday, popular password management company 1Password revealed that hackers had gained access to some parts of Okta's computer network by using data they had taken from the help-desk portal. The company notes that the brief intrusion was limited to a system that manages “employee-facing apps” and that “no 1Password user data was accessed.”

Depending on how they utilize the service and the internal systems they have connected to it, other Okta customers might be at greater risk. Gruhbhub, Tyson Foods, T-Mobile, the pharmaceutical firm McKesson, the diagnostics company LabCorp, and Main Street merchants like Crate & Barrel and Levi's are among Okta's prime customers.

According to Kyrk Storer, a spokesman for Okta, the hack of the company's help-desk portal impacted about 1% of its more than 18,000 users. These victims have now been notified of the hack, the company confirms.

Supply-chain attacks are cyber breaches that use access to one organization to target other partners, suppliers, or customers of that company. Exploiting a victim’s supply chain to reach more targets has become a popular cyberattack tactic among hackers, taking into account the digital connectivity among companies. In recent years, cyber intrusion on IT management firms like SolarWinds and Kaseya and file-transfer software manufacturer MOVEit had severe global repercussions. 

In most supply-chain assaults, hackers either discover or introduce a weakness in a popular software product, which they then utilize to access the systems of the firms that employ it. However, Okta attacks are not supported by any evidence that they involved software flaws. Instead, the hackers took advantage of extremely private consumer complaint submissions by utilizing login credentials they had obtained from a business that offered secure login software.

Customer service records are frequently mistakenly dismissed as being insignificant and obscure when compared to other types of data that companies maintain. Few organizations place the same emphasis on preserving this data as they do on safeguarding their clients' credit card information. However, a help desk system has an array of information about a business's clients and technological flaws, and the Okta attack indicates that hackers are becoming more aware of this.  

1Password's Swift Response to Okta Data Breach

Prominent password manager provider 1Password has shown excellent reaction and transparency following the recent Okta data leak issue. The breach forced 1Password to take measures to protect its users' security after it affected multiple organizations and possibly exposed sensitive user data.

1Password, a widely trusted password manager, has detected suspicious activity related to the Okta breach. The company acted promptly to mitigate any potential risks to its users. This incident highlights the critical role password managers play in safeguarding personal information in an increasingly interconnected digital landscape.

The Okta data breach in late October exposed a substantial amount of sensitive information, including usernames, passwords, and other authentication credentials. This incident raised alarms across the cybersecurity community, as Okta serves as an identity and access management provider for numerous organizations.

1Password's swift response sets an example for other online services in handling such incidents. The company has confirmed that all logins are secure and has implemented additional security measures to fortify its users' accounts. This includes enhanced monitoring for any suspicious activity and immediate alerts for any potential compromise.

1Password has a history of prioritizing user security, and this recent incident demonstrates their commitment to upholding the trust placed in them by millions of users worldwide. It serves as a reminder of the importance of using reputable password managers to fortify one's online security.

In light of this breach, it is recommended that users take proactive steps to further secure their accounts. This may include enabling multi-factor authentication, regularly updating passwords, and monitoring accounts for any unusual activity.

1Password's commitment to user security is demonstrated by its prompt and resolute reaction to the Okta data incident. It is impossible to overestimate the significance of strong password management given how quickly the digital world is changing. To protect their online identities, users are urged to exercise caution and take preventative action.

LastPass, Okta, and Slack: Threat Actors Switch to Targeting Core Enterprise Tools


In the beginning of year 2023, CircleCI, a development-pipeline service provider cautioned online users of a security breach, advising companies to take immediate action on the issue by changing the passwords, SSH keys, and other secrets stored on or managed by the platform. 

The security attack on the DevOps services left the organization scrambling in order to assess the extent of the breach, restrict attackers' access to alter software projects and identify which development secrets had been compromised. The company updated configuration settings, rotated authentication tokens, worked with other providers to expire keys, and investigated the situation. 

The company states in an advisory last week, "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well." 

In the past year, identity services like Okta and LastPass have acknowledged system vulnerabilities, and developer-focused services like Slack and GitHub have reacted quickly to successful attacks on their infrastructure and source code. 

According to Lori MacVittie, a renowned engineer and evangelist at cloud security firm F5, the series of attacks on fundamental enterprise tools reflects the fact that organization should anticipate these types of providers turning into frequent targets in the future. 

"As we rely more on services and software to automate everything from the development build to testing to deployment, these services become an attractive attack surface […] We don't think of them as applications that attackers will focus on, but they are," she says. 

Identity & Developer Services Vulnerable to Cyberattacks 

Lately, threat actors have targeted two major categories of services, i.e. identity and access management systems, and developer and application infrastructure. Both of the given services support the critical components of enterprise infrastructure. 

According to Ben Smith, CTO at NetWitness, a detection and response firm, identity is the glue that supports the organizations’ interface in every way, along with connecting the companies to their partners and customers. 

"It doesn't matter what product, what platform, you are leveraging, adversaries have recognized that the only thing better than an organization that specializes in authentication is an organization that specializes on authentication for other customers," says Smith. 

Meanwhile, developer services and tools have developed into yet another frequently attacked enterprise service. For example, a threat actor accessed the Rockstar Games creators' Slack channel in September and downloaded videos, pictures, and game codes from the upcoming Grand Theft Auto 6 Title. In regards to this, Slack says "a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository." 

Since identity and developer services enable access to a wide range of corporate assets, from application services to operations to source code, compromising these services can be a ‘skeleton key' to the rest of the company, adds Smith. "They are very very attractive targets, which represent low-hanging fruit […] These are classic supply chain attacks — a plumbing attack because the plumbing is not something that is visible on a daily basis."

Protect Yourselves by Managing Secrets Wisely, Establish Playbooks 

In order to administer cyber-defense, one of the tactics suggested by Ben Lincoln, managing senior consultant at Bishop Fox, is to organize a comprehensive management of secrets. Companies should be able to “push the button” and rotate all necessary passwords, keys, and sensitive configurations. 

"You need to limit exposure, but if there is a breach, you hopefully have a push button to rotate all those credentials immediately," Smith further says. "Companies should plan extensively in advance and have a process ready to go if the worst thing happens." 

Organizations can also deceive intruders using traps. Security teams can receive a high-fidelity warning that attackers might be on their network or using a service by employing various honeypot-like tactics. Credential canaries—fake accounts and credentials—help identify when threat actors have access to critical assets. However, in all other ways, the companies must prioritize the need to apply zero-trust principles in order to minimize the attack surface area of — not just machines, software, and services but also operations, according to MacVittie.