When KrebsOnSecurity broke the information on Oct. 20, 2023 that id and authentication big Okta had suffered a breach in its buyer assist division, Okta stated the intrusion allowed hackers to steal delicate knowledge from fewer than one % of its 18,000+ prospects. However in the present day, Okta revised that impression assertion, saying the attackers additionally stole the title and e mail tackle for practically all of its buyer assist customers.
Okta acknowledged final month that for a number of weeks starting in late September 2023, intruders had entry to its buyer assist case administration system. That entry allowed the hackers to steal authentication tokens from some Okta prospects, which the attackers might then use to make adjustments to buyer accounts, reminiscent of including or modifying licensed customers.
In its preliminary incident experiences concerning the breach, Okta stated the hackers gained unauthorized entry to recordsdata inside Okta’s buyer assist system related to 134 Okta prospects, or lower than 1% of Okta’s buyer base.
However in an up to date assertion printed early this morning, Okta stated it decided the intruders additionally stole the names and e mail addresses of all Okta buyer assist system customers.
“All Okta Workforce Id Cloud (WIC) and Buyer Id Resolution (CIS) prospects are impacted besides prospects in our FedRamp Excessive and DoD IL4 environments (these environments use a separate assist system NOT accessed by the menace actor),” Okta’s advisory states. “The Auth0/CIC assist case administration system was additionally not impacted by this incident.”
Okta stated that for practically 97 % of customers, the one contact data uncovered was full title and e mail tackle. Meaning about three % of Okta buyer assist accounts had a number of of the next knowledge fields uncovered (along with e mail tackle and title): final login; username; cellphone quantity; SAML federation ID; firm title; job function; person sort; date of final password change or reset.
Okta notes that numerous the uncovered accounts belong to Okta directors — IT folks accountable for integrating Okta’s authentication know-how inside buyer environments — and that these people must be on guard for focused phishing assaults.
“Many customers of the shopper assist system are Okta directors,” Okta identified. “It’s vital that these customers have multi-factor authentication (MFA) enrolled to guard not solely the shopper assist system, but additionally to safe entry to their Okta admin console(s).”
Whereas it could appear utterly bonkers that some corporations enable their IT workers to function company-wide authentication techniques utilizing an Okta administrator account that isn’t protected with MFA, Okta stated absolutely six % of its prospects (greater than 1,000) persist on this harmful follow.
In a earlier disclosure on Nov. 3, Okta blamed the intrusion on an worker who saved the credentials for a service account in Okta’s buyer assist infrastructure to their private Google account, and stated it was probably these credentials had been stolen when the worker’s private gadget utilizing the identical Google account was compromised.
Not like normal person accounts, that are accessed by people, service accounts are principally reserved for automating machine-to-machine features, reminiscent of performing knowledge backups or antivirus scans each night time at a selected time. Because of this, they will’t be locked down with multifactor authentication the way in which person accounts can.
Dan Goodin over at Ars Technica reckons this explains why MFA wasn’t arrange on the compromised Okta service account. However as he rightly level out, if a transgression by a single worker breaches your community, you’re doing it flawed.
“Okta ought to have put entry controls in place apart from a easy password to restrict who or what might log in to the service account,” Goodin wrote on Nov. 4. “A technique of doing that is to place a restrict or situations on the IP addresses that may join. One other is to often rotate entry tokens used to authenticate to service accounts. And, after all, it ought to have been inconceivable for workers to be logged in to non-public accounts on a piece machine. These and different precautions are the duty of senior folks inside Okta.”
Goodin prompt that individuals who need to delve additional into numerous approaches for securing service accounts ought to learn this thread on Mastodon.
“A good variety of the contributions come from safety professionals with intensive expertise working in delicate cloud environments,” Goodin wrote.
