Skip to content

Search the site

Fresh Okta breach exposes files: HAR, but no laughing matter

The attackers used a "stolen credential to access Okta's support case management system"

New Okta breach

Okta has reported its fourth cybersecurity incident since early 2022, with the company saying attackers accessed customer support files.

The attackers used a "stolen credential to access Okta's support case management system" the company admitted, without explaining why as an identity and access management (IAM) provider it did not protect itself against the abuse of stolen credentials, e.g. through the use of robust MFA.

Okta Chief Security Officer David Bradbury suggested in a short blog on October 20 that the attackers had then been able to steal credentials from files uploaded by customers that had not been sanitised. 

The attackers had been “able to view files uploaded by certain Okta customers as part of recent support cases” as a result, he said.

No incident dates were given. Affected customers have been contacted.  Okta support case management system is separate from the production Okta service, “which is fully operational and has not been impacted.”

See also: NSA's new list of configuration howlers

Bradbury wrote: “Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. 

“HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens… Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

New Okta breach: Lessons learned?

The new Okta breach is its fourth since early 2022.

In January 2022 the Lapsus$ extortion group gained access to the account of a customer support engineer at Sykes, a third-party service provider, pivoting to Okta’s systems and sharing screenshots of apps.

(How Okta communicated over that breach triggered an industry-wide furore over a purported lack of transparency and its CEO’s early reaction to the incident. In a post-mortem Okta later claimed that just two customers had been affected and vowed to overhaul how it audits "sub-processors" and directly manage all devices of third parties that access its customer support tools in the wake of the incident.) 

In August 2022 Okta, along with many others like Signal, was affected by a breach of MFA provider Twilio. Then in December 2022 Okta said attackers had accessed and copied its GitHub source code repositories. 

Okta has over 17,000 customers globally.

Las Vegas casino ransomware attacks: Okta in the spotlight as MGM slowly recovers