Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
The ongoing Okta data breach investigation brings new details to light. The company announced that hackers have accessed data from every user of Okta’s customer support system.
David Bradbury, Okta’s Chief Security Officer said
We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users.
Source – Okta advisory
What are the novelties of the Okta Data Breach?
Initially, it appeared the attackers gained unauthorized access to files impacting less than 1% of Okta’s customers. However, the investigation revealed that the breach was more serious than that. The Okta cyberattack impacted additional reports and support cases with names and email addresses belonging to every Okta certified user.
The compromised data belong to Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers. The only exceptions are the customers in the FedRamp High and DoD IL4 environments and the Autho/CIC support case management system.
According to David Bradbury, in September 2023 the attackers ran a report that contained the following fields for each user in Okta’s Help Center:
- full name
- username
- company name
- user type
- address
- last password change/reset
- role
- phone number
- mobile number
- time zone
- SAML Federation ID
Okta’s CSO added that most of these fields were blank, and the report didn’t display user credentials or sensitive personal data:
For 99.6% of users in the report, the only contact information recorded is full name and email address.
Source – Okta advisory
The ongoing investigation also revealed the Okta data breach also compromised some of the employees’ information. For now, there are no reasons to believe that sensitive personal data are on the list.
Okta warns of potential phishing attacks and urges admins to use MFA
A concerning aspect is that many of the Help Center users are administrators. For those who don’t use multi-factor authentication there is now a high risk of unauthorized access.
Okta expects hackers will attempt phishing attacks and social engineering. To prevent further damage, the company urges system admins to enable multi-factor authentication (MFA).
This security measure would protect both the customer support system and the access to their Okta admin console(s).
In addition to enforcing MFA on admin accounts and in general, Okta also recommended:
Admin Session Binding
Customers can enable an Early Access feature in Okta. The feature requires admins to reauthenticate if their session is reused from an IP address with a different ASN (Autonomous System Number).
Admin Session Timeout
As a measure of compliance to NIST AAL3 guidelines and increased caution, Okta introduced today Admin Console timeouts. The feature will be available for all production orgs by January 8th, 2024. The company notified all super admins by email regarding this change on November 27th. You can read a copy of that here Admin Session Lifetime/Idle Timeout Security Enhancements.
Phishing Awareness
Okta customers should be extremely cautious regarding phishing attempts. Social engineering attempts targeting IT Help Desks are also a possibility. In this case, educating the employees to spot a phishing email is only a small part of the solution. We recommend using a strong DNS security tool to detect and block any potentially malicious communication.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
