Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Hackers Stole Access Tokens From Okta's Support Unit (krebsonsecurity.com) 26

An anonymous reader quotes a report from Krebs on Security: Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. Okta says the incident affected a "very small number" of customers, however it appears the hackers responsible had access to Okta's support platform for at least two weeks before the company fully contained the intrusion. In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it "has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases."

Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because in this case they include the customer's cookies and session tokens, which intruders can then use to impersonate valid users. "Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens," their notice continued. "In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it."

Okta has published a blog post about this incident that includes some "indicators of compromise" that customers can use to see if they were affected. But the company stressed that "all customers who were impacted by this have been notified. If you're an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets."
The security firm BeyondTrust is among the Okta customers who was involved in the breach. "BeyondTrust Chief Technology Officer Marc Maiffret said that [Okta's] alert came more than two weeks after his company alerted Okta to a potential problem," reports Krebs. They have also published a blog post detailing their findings.
This discussion has been archived. No new comments can be posted.

Hackers Stole Access Tokens From Okta's Support Unit

Comments Filter:
  • Why use any of the boomer dinosaur companies devices if all itâ(TM)s gonna do is put you on the chopping block when they inevitably get hacked. The company should tank, they should be ashamed of themselves for such knuckle headed foolery.
    • It's kind of amazing how many security companies have piss-poor security, and how many of their customers don't care.
      • Every security system, physical or digital, has vulnerabilities. Do you have evidence that Okta is somehow more lax than others? What others do better?

        • Do you have evidence that Okta is somehow more lax than others? What others do better?

          The claim was that they "have piss-poor security", that is in absolute, not that "others" might be just as bad or not.
          And the evidence is really clear, how can you call this?

          We raised our concerns of a breach to Okta on October 2nd. Having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta until October 19th when Okta security leadership notified us that they had indeed ex

          • Security is not measured in absolutes, it's always relative.

            You lock your car in a parking lot, not because locking your car constitutes absolute protection, but because car thieves are opportunists. If your car is locked, and somebody else's isn't, they'll pick the one that isn't. If *everybody* locks their car, then you might want to consider additional security, such as perhaps a car alarm. The important thing about security is to make your target less available than other targets. You can't stipulate th

            • Their customer told them they had a breach. Stop simping for this terrible dinosaur company. There is no excuse for these shameful repeat offenses. Itâ(TM)s not just âoeoh well that is security for youâ. If your customer is telling you that you had a breach, that was a repeat of a recent incident, you deserve to collapse and go bankrupt.
              • YOU assume that the customer would have reason to know. The reality is more complex. Even in my own experience,

                As part of my job managing the construction of an SSO mechanism, I work with a pen test team to look for potential vulnerabilities. The pen test team found a few legitimate issues, and also hundreds of false alarms. I'm sure Okta is no different. Sure, they heard from the customer. But when 99% of what you hear from customers is actually false alarms, it's not surprising that one real alarm got th

                • BeyondTrust notified Okta on October 2nd 2023. The same attacked still had access to the support system on October 18th 2023. Part of your job as Okta is to validate and verify false positives not just be like. Well, oh well, we got too many false positives so forget security. The fact that you are spewing such nonsense in these comments make me think a few things. 1 you are really bad at your job and really do not get security. 2 you are Okta HR. 3 you recently signed a deal with Okta for overpriced s
                  • Okta may well have screwed this up, I don't know. The point is, neither do you. You are assuming facts not in evidence. You haven't seen the root cause analysis, nor do you have all the data. All you have is one person's report, which doesn't tell the whole story.

                    Okta may be terrible at its job, but this incident alone doesn't prove that.

                    What alternative do YOU recommend?

            • LOL now you're making car analogies. Give us a break, seriously. PAYING CUSTOMERS ARE TELLING A SECURITY COMPANY THEY'RE BEING UNDER ATTACK FROM THE DATA LEAKED FROM THEIR LAST SUPPORT TICKET and they are ignored for MORE THAN TWO WEEKS. This is bad, no matter how you slice it!

              • I don't think you understand how security works.

                I've gone through numerous penetration tests. These test sometimes tell you something important, but the important warnings are accompanied by hundreds of false alarms. Okta is no different. For every real alarm from a customer, they no doubt receive hundreds of false ones. Did they have reason to know that this one customer claim was legitimate, when 99% of them aren't? *You* don't know that.

        • Do you have evidence that Okta is somehow more lax than others?

          Okta needs to be more secure than others. They are building software to keep things secure, that's their job, and they are failing at it.

          Although a cynical person might say that their job is to make things more convenient.

          • By "others" I was referring to "other security providers."

            And you don't have the facts, just from this story, to prove that they are "failing at it."

            • lol what do you know about security? In this post [slashdot.org], you argue that Okta shouldn't check all security alerts because there are too many false positives.

              Okta better be checking them all, otherwise things will happen like are reported in this story.
              • You are misquoting my post, I never said Okta *shouldn't* validate all reports. What I did say was that 99% (+ or -) are false positives. Okta may have incorrectly judged this report is a false positive. That is a mistake even the best and brightest could have made. I challenge you to show me a company or person with a better record.

                • I challenge you to show me a company or person with a better record.

                  Seriously? How much are you going to pay me? That's an easy challenge, Okta doesn't have a good record.

                  • And yet, you can't name a single security provider that does better! If it's such an easy challenge, you should be able to just reply and name a name. Your evasiveness and indignation strikes me as being unable to answer.

    • What devices are you talking about? There were no "devices" involved in this hack.

      You do understand that every kind of security, has vulnerabilities, right? That's true of the physical security of your home, your bank, and everything in between. Why should digital security be different?

  • But hey, at least it means we all die together.

    • Oh, so you don't use the internet? I mean, you have to get an access token to access anything on the internet these days.

    • I mean, you prefer decentralized auth? Without something like Okta, you trust users to maintain good passwords and enable MFA on a variety of services. Good luck with that....the breaches will pile up a lot faster at most companies with that than some kind of central auth with strong policies. It's not risk free, ht beats the alternatives.
      • The problem with centralized auth is companies like Okta are lazy dinosaurs that donâ(TM)t adapt. They keep a status quo and rake in overpriced subscriptions and think that their solutions is still valid a decade later. You have to be quick and agile and constantly evolving to do the security thing.
        • I mean they are constantly advancing, Okta isn't a slow behemoth like Microsoft or IBM at all. Looks like this hack was quite an edge case wherein unsanitized credentials were uploaded to support, and their support storage bucket was compromised. Obviously there's room for improvement and I'm sure a couple changes to the way their support and their API authentication works.

Truly simple systems... require infinite testing. -- Norman Augustine

Working...