Okta Breach Part 2: Unveiling the Full Scope and Impact

Introduction

In late October, Okta, reported a cybersecurity breach that initially appeared to affect less than 1% of its customers. However, recent revelations indicate a far-reaching impact, affecting 99.6% of users in the customer support system. This blog post delves into the broader implications of this

The True Scope Revealed

Contrary to initial estimates downplaying, it has now been disclosed that hackers successfully ran a report on September 28, 2023. It contained sensitive information about all Okta customer support system users. The compromised data had names, email addresses, company names, contact phone numbers, and other details, Impacting 100% of Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers. The only exception being those in highly sensitive environments such as the government.

Financial Impact on Okta

Despite the significant dip in Okta’s stock prices when the breach was first reported in October, resulting in a temporary loss of approximately $2 billion in market capitalisation, the financial fallout seems to be hovering in the single digits. Okta’s latest quarterly financial report indicates a more than 20% increase in revenues for the quarter ending October 31, demonstrating a robust financial performance despite the security incident.

Customer Trust at Stake

The discrepancy between the initially reported 1% impact and the actual 99.6% of affected users reveals a concerning lapse in transparency. Okta customers are now grappling with the realization that threat actors may have access to their names and email addresses, exposing them to the risk of phishing and social engineering attacks. While Okta assures that there is no direct evidence of exploitation, they urge customers to remain vigilant. This stolen information could be weaponized for targeted cyber scams.

Phishing and Social Engineering Threat

With 99.6% of users having their names and email addresses exposed. These stolen data poses a heightened risk of phishing and social engineering attacks.

Okta Phishing

Cyber security experts emphasise the need for Okta customers, especially administrators, to enforce multi-factor authentication (MFA) and consider the use of phishing-resistant authentication. The potential for threat actors to exploit this information for targeted attacks underscores the importance of proactive security measures on the customer’s end.

Conclusion

In the aftermath of the Okta breach, customer trust in identity management systems faces a critical test. As emphasised by the mantra “The ‘S’ in IAM stands for Security”, the true scale of the incident challenges the reliance on auto-saved passwords, demonstrating the vulnerability of conventional systems. We urgently advocate for the adoption of passwordless authentication. For those catching up, our previous post details the Okta breach, highlighting the imperative to . #gopasswordless . This approach not only addresses current vulnerabilities but also aligns with the evolving demands of a secure digital landscape.

Unpacking Okta’s Recent Security Breach

Introduction

In today’s interconnected world, data breaches have become unfortunately common. One recent incident that has drawn the cybersecurity community’s attention involves Okta, a prominent identity and access management (IAM) provider. This blog post delves into the specifics of the Okta breach, its impact, and the lessons we can learn.

The Initial Okta Breach

The story starts with a breach of Okta’s case management system, reported in late October. Threat actors gained unauthorised access to sensitive files of 134 Okta customers, less than 1% of the customer base. Some stolen files were HTTP Archive (HAR) files with session tokens, usable in session hijacking attacks.

Targets: BeyondTrust, Cloudflare, and 1Password

BeyondTrust, Cloudflare, and 1Password confirmed their systems were targeted due to this breach. They emphasised no loss of customer data during these incidents, highlighting their robust security measures.

Okta’s Response and Investigation

David Bradbury, Okta’s Chief Security Officer, revealed the breach’s origin. An employee logged into their personal Google account on an Okta-managed laptop, inadvertently saving service account credentials. The hackers exploited this service account, gaining permissions to view and update support cases. The breach occurred from September 28 to October 17, 2023.

Investigation Challenges

Okta’s security team initially focused on unauthorized access to support cases. Identifying suspicious downloads took 14 days. Unique log event types and IDs complicated the detection process.

On October 13, BeyondTrust provided a suspicious IP address, leading to the identification of the compromised account’s activities.

Implications and Ongoing Concerns

The breach raises numerous cybersecurity concerns. Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, highlighted the potential for secondary attacks arising from exposed data. Such incidents erode trust in service providers, especially for security-focused companies like Okta.

John Bambenek, Principal Threat Hunter at Netenrich, pointed out that recurring security events raise questions about Okta’s reliability in sensitive roles like identity and authentication.

Conclusion: The Vital Role of Passwordless Authentication

The Okta breach underscores the importance of robust cybersecurity practices. Organisations must remain vigilant, conducting continuous security assessments and proactively implementing measures against evolving threats.

A single compromised password can jeopardize an entire institution. Therefore, we strongly advocate for passwordless authentication. By eliminating passwords, organizations can fortify their defenses, enhancing security and reducing the risk of future incidents. Passwordless authentication is a safer and more effective approach to protecting digital identities in today’s evolving landscape. #gopasswordless

Slack’s GitHub Exposed – Another MFA Failure

Slack reported suspicious activity on January 9th, 2023 regarding a breach in it’s remotely stored GitHub account. Upon investigation, it was found that tokens of a few Slack employees were stolen, and used to gain access to remote git repositories. The threat actors also downloaded code from private repository. Slack also stated that the threat resulted from a third party vendor, and also assured its users that no customer data is at risk.

Previous Incidents

In March 2015, Slack shared that it had been hacked for over four days in Feb 2015. Additionally, In January 2021, it had a outage for several hours. In a previous blog , we have discussed a past security bug on Slack at December 2022 where passwords were stored in their Android apps in plain text.

Reason and Impact

The attackers were able to gain access due to a security flaw in Slack’s authentication system using Brute Force. Once they had access, they were able to steal the secret seeds (used to generate pseudo random tokens) associated with that organisation’s account and gain access to the private code repositories stored on GitHub. The fact that a brute force attack was successful indicates a security lapse from Slack.

The company claims that the threat actors did not get access to production environment, customer data or Slack resources. Additionally, Slack rotated the concerning tokens with the third vendors, and deployed additional security on their externally hosted GitHub.

About MFA Tokens

In their update what Slack is mentioning as token are MFA seeds or secret keys. These seeds or keys are shared secret between the (Slack’s) server and user’s MFA application. These seeds are used in generation of tokens which are then used to authenticate user in conjunction with passwords.

image credit – Twilio

Twilio has provided here a detailed explanation on how the MFA works with secret keys. Unfortunately Twilio’s Authy was breached and customer’s TOTP secret keys were leaked in the recent past.

Mitigation

Authentication system depending on abusable data like Passwords, Biometrics, or TOTP/HOTP Tokens, of public-keys are insecure by design. Adopting authentication solution which makes use of zero-knowledge factors are resilient to data leakage in case of breach.

PureID‘s Passwordless Authentication platform – PureAUTH eliminates the risk in case of total breach of the authentication parameters it uses to verify users.

Check out, how PureAUTH makes Slack Passwordless and secure from credential based attacks.

Connect with us to know how PureAUTH platform can help your enterprise be more secure and resilient.

Your 1st Step to #GoPasswordless

Everyone understands and acknowledges that passwords are evil and are the biggest risk for enterprises. We have also seen that augmenting passwords with different factors not only makes the authentication process complex and costly but also fails to provide any effective security. Clearly, enterprise must choose to #GoPasswordless. In this blog, we discuss how.

Securing your first line of Defence

VPNs are the first line of defence of any enterprise. Most of your workforce access your enterprise network through VPN. This also means that VPN sees most of the network based and credential stuffing attacks. Making VPN passwordless prevents credential stuffing and attacks arising from MFA bypass.

Modern VPNs you can readily make Passwrodless

Challenges

Enterprise users need time and a systematic approach to transition from password + MFA based authentication to passwordless authentication. Not all users can make this transition overnight, this becomes a hurdle in adopting a new type of authentication system.

Phased Approach

PureAUTH integrates with many leading and modern VPNs that support multiple authentication mechanisms simultaneously, over different interfaces. This allows enterprises to transition their users from passwords to passwordless authentication in a phased manner. 

  • Typically our customers opt to have an additional interface on VPN to support passwordless authentication with PureAUTH.
  • In the first phase they put 10% of their users on the passwordless authentication system allowing the rest of the workforce to continue with their usual method without any disruption. 
  • After testing the new system with initial users, next 80% users are put on the passwordless mode.
  • By this time enterprise is ready to move the remaining 10% of the users to passwordless system.
  • Once all users are transited, its safe to scrap password based authentication.
  • Once all enterprise users are comfortable to authenticate using passwordless method its time for other applications to #GoPasswordless.

In this video you can see how Cisco AnyConnect supports both password and passwordless authentication simultaneously.

Conclusion

PureAUTH makes it super easy to secure your VPN with passwordless authentication and help your workforce to make smooth transition from passwords to #GoPasswordless. Get in touch with us to check it out in your network.