Okta Breach

Last week, Okta identity and access management (IAM) service identified adversarial activity that leveraged a stolen credential to access the support case management system. The threat actor was able to view sensitive HTTP Archive (HAR) files uploaded by a limited number of Okta customers as part of recent support cases. HAR files store information exchanged between the web client and web server and can store sensitive information such as authentication tokens, API keys, and session cookies. Okta’s support team typically requests customers to share these files when submitting a support ticket so that the Okta technician can replicate and troubleshoot the browser activity. Okta stated that all impacted customers were notified, which included BeyondTrust, CloudFlare, and 1Password. These organizations successfully terminated or blocked malicious activity using a defense-in-depth approach.
Multi-factor authentication (MFA) continues to be targeted by threat actors. Last month, Okta revealed social engineering campaigns targeting US-based Okta customer organizations’ IT service desk personnel in attempts to reset MFA for high-privilege users. The threat actor leveraged the compromised Okta Super Admin accounts to abuse legitimate identity features to impersonate users within the compromised organization. Impacted organizations include MGM and Caesar’s Palace, ultimately affecting millions of patrons worldwide due to subsequent ransomware attacks.