Identity and session management provider Okta experienced a security breach affecting 134 of its customers. In this breach, which took place between September 28 and October 17, 2023, session hijacking attacks became possible thanks to unauthorized access through HAR files.
This breach resulted in the misuse of legitimate logins of five Okta customers, including well-known companies like 1Password, BeyondTrust, and Cloudflare. 1Password reported the anomaly shortly after the breach window opened. Okta’s Chief Security Officer David Bradbury acknowledged the breach on October 20, explaining that the stolen credentials provided access to Okta’s support management system.
Further investigation of this breach revealed that a service account belonging to Okta’s customer support system had been misused. This account, which had the authority to modify customer support cases, was linked to an employee’s personal Google account. This link suggests that the employee’s personal account is the likely source of the breach.
In response to the incidents, Okta invalidated the affected session tokens and closed the compromised service account. The company also blocked personal Google profile use in corporate versions of Chrome to restrict employees’ access to personal accounts on Okta-managed devices.
To make its platform more secure against similar threats, Okta introduced a session token binding feature that prompts administrators to re-authenticate when a network change is detected. This feature is available to customers through the Okta admin portal. This incident followed an unrelated breach by Okta’s healthcare provider that exposed sensitive information of thousands of Okta employees. This combination of security issues has led Okta to strengthen its defense mechanisms and take stringent measures to protect against sophisticated cyber threats.