Security advisories

Okta Breach

October 25, 2023 | 2 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On October 20th, 2023, Okta Security identified that a threat actor had utilized a set of stolen credentials to gain unauthorized access to their support case management system. The adversary was able to view files uploaded by certain Okta customers for recent support cases. It's important to note that this system is distinct from Okta's main production service, which remains unaffected. Additionally, the Auth0/Customer Identity Cloud (CIC) case management system is not involved in this breach.

During standard troubleshooting procedures, Okta support may request customers to provide an HTTP Archive (HAR) file. These files can sometimes contain sensitive data, such as cookies and session tokens, which attackers can exploit to impersonate legitimate users. While Okta has been proactive in assisting affected customers and has taken measures, like revoking embedded session tokens, they recommend that all credentials and cookies/session tokens within HAR files should be sanitized before sharing.

In addition, attacks in the wild have been reported publicly. One of which was 1Password, a trusted password management platform utilized by over 100,000 businesses, which disclosed that hackers had breached their system through their Okta ID management tenant.

What we’re doing about it

What you should do about it

Additional information

The threat actor targeted Okta's support case management system, which is separate from the primary Okta service. HAR files, uploaded by customers for troubleshooting, can contain sensitive information, emphasizing the importance of sanitizing such files before sharing.

The indicators provided are primarily commercial VPN nodes. We recommend organizations check their logs for any interaction with the IPs and user agents provided below, especially if they seem out of place or infrequent in your environment.

Impacted System:

Okta Support Case Management System

Indicators of Compromise:

23.105.182[.]19

IP

104.251.211[.]122

IP

202.59.10[.]100

IP

162.210194[.]35

IP

198.16.66[.]124

IP

198.16.66[.]156

IP

198.16.70[.]28

IP

198.16.74[.]203

IP

198.16.74[.]204

IP

198.16.74[.]205

IP

198.98.49[.]203

IP

2.56.164[.]52

IP

207.244.71[.]82

IP

207.244.71[.]84

IP

207.244.89[.]161

IP

207.244.89[.]162

IP

23.106.249[.]52

IP

23.106.56[.]11

IP

23.106.56[.]21

23.106.56[.]36

IP

IP

23.106.56[.]37

IP

23.106.56[.]38

IP

23.106.56[.]54

IP

Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko)

User-Agent

Chrome/99.0.7113.93 Safari/537.36

User-Agent

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36

User-Agent

Chrome/99.0.4844.83 Safari/537.36

User-Agent

References:

[1] https://sec.okta.com/harfiles
[2] https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
[3] https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/

View Most Recent Advisories