Security alert: Okta “support user” data theft

· 2 MIN READ · AARON WALTON · NOV 30, 2023 · TAGS: Alert / Phishing

Okta recently determined that a threat actor stole data pertaining to users of its support system in an incident identified in October. Here’s what you need to know.

What happened?

In October, Okta determined that a threat actor ran a report and obtained information about its customer support users.

As a result of this activity, we reviewed our existing detections for abnormal administrator behavior and created a new detection for stolen session cookie usage. We also reviewed all of our customers’ environments for known indicators of the attackers (even if those organizations aren’t customers of our threat hunting service).

Okta recently disclosed that the impact was greater than originally believed: the report the attacker created contained details of all of its customer support users. This information—including names, phone numbers, and addresses—can potentially allow an attacker to identify security personnel at targeted organizations. The attacker then attempted to create new users and give them administrative privileges.

Given Okta’s popularity and reach, and the extensive news coverage this attack is getting, it’s no wonder so many people are concerned. While all Okta customers should remain vigilant, they should remember that this data can really only be leveraged by attackers in specific ways, which we see to be in social engineering and phishing attempts.

Why does it matter?

User identity is a major target of threat actors, and this incident targets almost all Okta’s customers.

What are we doing for our customers?

We’ve followed these developments closely and are confident that we’re able to spot related activity with our current detections. We’re reviewing our Okta detection strategy for opportunities to modify alert severities to highlight activity resulting from abuse of the stolen information.

We’re also taking steps to ensure our own administrators have an eagle eye for spotting social engineering attempts. For example, one thing threat actors are doing right now is calling the help desk of a target organization, impersonating a user, and attempting to get their password reset. If they’re successful, they may then send multi-factor authentication (MFA) requests to the real user attempting to get a request approved.

What should you do right now?

  • Make sure your Okta administrator accounts are secured with MFA.
  • Test all security controls related to user and administrator password resets.
  • Test controls for different methods, such as self-service password resets and calls to the help desk.
  • We also urge all Okta customers to brush up on their phishing policies, including what to do if they suspect they’ve received a phishing email. Be aware of any and all emails, texts, phone calls, or messages of any kind that seem out of the ordinary, and verify anything that requests sensitive or confidential data.

You can learn more about this attack here, and if you’re interested in speaking with us on how we can help protect your org, drop us a line.