OKTA HACKED - AGAIN

Okta, an identity and access management company, has been breached again. On Friday, 20th of October 2023, news broke that Okta had experienced a data breach, allowing hackers access to customer data in an attack that wasn't detected by Okta, but by BeyondTrust - one of Okta's customers.

Okta is an identity and access management (IAM) company with a market capitalization of 12.40 B USD as of 20th October 2023 (IAM is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources). The company is famous for its multi-factor authentication (MFA) service, used by several companies across the world. However, this is not the company's first successful breach in recent times.

Recent Okta Cyber Attacks

In December 2022, Bleeping Computer reported that Okta's source codes were accessed and copied by a malicious actor. In a now public internal communication at Okta, it was gathered that "In early December 2022, GitHub alerted Okta about possible suspicious access to Okta code repositories…such access was used to copy Okta code repositories".

In January 2022, Okta was reported to have been hacked by the Lap$us group, who posted pictures of Okta's (alleged) internal systems to their Telegram channel. Okta confirmed that the hack affected around 366 Okta customers, but that the attacker was unable to "perform any configuration changes, MFA or password resets, or customer support “impersonation” events"

What Happened to Okta in October 2023

Cloudfare and Beyond Trust published articles stating that they identified attacks on their systems that had originated from their Okta accounts. According to Cloudflare, "On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance".

Cloudflare also revealed that Okta was notified of this attack by Beyond Trust on 2nd October 2023. Beyond Trust's publication stated that "On October 2nd, 2023, the BeyondTrust security teams detected an identity-centric attack on an in-house Okta administrator account… The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers."

In summary, the threat actor hacked Okta through their customer support system and viewed files uploaded by some Okta customers as part of recent support cases. It appears that the threat actor then hijacked valid session cookies on the Okta support system and used them to try to pivot to Okta's customers' systems (as was the case for Cloudflare and Beyond Trust). Cloudflare reported that this actor compromised two of their employee accounts through this process before they were identified and contained by the internal incident response team. It's unclear how many Okta customers may have been compromised in a similar fashion.

Implications

It's not looking good for Okta.

Three major cyber-attacks in 2 years is not good for any firm, let alone a cybersecurity company. As of 20th October 2023, Okta's stock had fallen 11.6%, most likely due to the news of the data breach.

More importantly, there is the ever-dropping customer confidence: Several organizations had found alternatives to Okta following the December 2022 breach, and logic suggests that the company will lose even more customers this time around.

There's a lot yet to be known. And considering that this kind of breach could lead to cyber-attacks and breaches to Okta's own customers, it's best to watch how it unfolds.

Hopefully Okta can weather this storm.