On October 20, 2023, Okta confirmed a security breach in which attackers accessed files within their customer support system, that were uploaded by customers for troubleshooting purposes. These files contained sensitive information, such as cookies and session tokens, allowing threat actors to hijack customer accounts.
These malicious actors were able to gain access to Okta’s support case management system by leveraging stolen credentials. The breached support case management system contained HTTP Archive (HAR) files, essential for replicating and resolving user and administrator errors. However, it also stored sensitive data, such as cookies and session tokens, which could potentially be exploited by malicious actors to assume the identities of users.
Okta actively collaborated with affected customers during the investigation, taking measures to revoke session tokens embedded within shared HAR files. They now recommend all customers sanitize their HAR files to prevent the inclusion of sensitive credentials and cookies/session tokens.
Fortunately, this breach did not affect Okta’s core services, and their Auth0/CIC case management system remained unaffected. Okta promptly notified impacted customers, ensuring that only those who received alerts were potentially affected by the incident. In a statement shared with The Hacker News, a spokesperson for Okta stated, “The breach only affected approximately 1% of our 18,400 customers.”
Impact on Third Parties (SaaS Supply Chain)
Both BeyondTrust and Cloudflare reported incidents that can be traced back to a breach attempt in Okta’s customer support system.
BeyondTrust detected a breach attempt on one of its in-house Okta administrator accounts on October 2, following threat actors stealing a cookie from Okta’s support system. Despite BeyondTrust’s proactive response and sharing of forensics data with Okta, it took Okta over two weeks to confirm the breach, highlighting the critical need for swift incident response. The breach was eventually confirmed on October 19, underscoring the challenges of SaaS supply chain security.
On October 18, 2023, Cloudflare detected an attack on its system. Threat actors exploited a compromised authentication token to gain access to Cloudflare’s Okta instance, utilizing an open session with administrative privileges. While the incident raised concerns, Cloudflare’s rapid response ensured that no customer information or systems were affected. This marks the second time Cloudflare has been impacted by a breach of Okta’s systems.
What Other Companies Can Learn From the Incident
Breaches can happen in unexpected places, underscoring the need for constant vigilance and proactive security measures, especially in business functions where data is extremely sensitive.
Service providers need to ensure they meet the highest security standards and are able to demonstrate it. Demonstrating commitment to robust security practices not only builds trust with customers and regulatory bodies but also ensures the enforcement of proper security measures.
All partners and customers should be aware of where and how their sensitive data is stored and used within the SaaS domain. This reinforces the importance of clear data governance and monitoring practices to maintain data integrity and privacy.
SSPM as a Practical Solution
From a supply chain perspective, the ripple effects of the breach on third-party vendors like BeyondTrust and Cloudflare emphasize the potential vulnerability of interconnected systems. This underscores the urgency for businesses to enhance their supply chain security, ensuring that all parties within the ecosystem adhere to the highest security standards.
Abnormal user activity detection, a core aspect of security measures in the supply chain, becomes especially pertinent in this context. Thanks to BeyondTrust’s and Cloudflare’s ability to detect abnormal behavior in a timely manner, they were able to prevent further damage to their organizations. Supply chain security solutions, including SaaS Security Posture Management (SSPM) systems, must prioritize the continuous monitoring and analysis of user activities to identify any suspicious or unauthorized actions swiftly.