On Friday, October 20, the identity management platform Okta said it suffered an intrusion in its customer support system. As an access and authentication service, a breach of Okta always comes with risks to other organizations, and the company confirmed that “certain Okta customers” were affected. Okta tells WIRED that it notified “around 1 percent” of its 18,400 customers that they were impacted.
The password manager 1Password, an Okta customer, said this week that it had notified the company on September 29 of suspicious activity that ultimately was tied to the support system incident. BeyondTrust, another identity and access management firm and also an Okta customer, said last week that it had similarly flagged concerning behavior in its Okta administrator account and notified the company about the issue on October 2. Internet infrastructure company Cloudflare also said last week that it had detected a similar incident in its Okta systems on October 18 and notified the company as well.
Companies like Okta that provide crucial digital services to a large population of prominent customers are always going to be prime targets for attacks because they can serve as a sort of one-stop shop for hackers looking to compromise numerous organizations. And as tech giants like Microsoft have shown, some of these attacks may well lead to breaches even if the vast majority are blocked. The breach at Okta is particularly concerning because it shares many features with a security incident the company dealt with in 2022, in which attackers compromised a subprocessor that Okta had trusted to do customer support work.
“What I find surprising in this case is that, after the 2022 breach, you'd think Okta would be on high alert for any externally exposed systems or personnel who may be targeted—and yet something has happened again,” says Adam Chester, a senior security consultant at TrustedSec.
The latest incident directly affected Okta's internal customer support service rather than one provided by a third-party partner. In this case, attackers used stolen login credentials to compromise an Okta support account, and then leveraged this access to steal cookies and session tokens used to give customer support providers access to clients' systems for troubleshooting. With these access tokens, attackers could then compromise Okta customer accounts directly.
1Password, BeyondTrust, and Cloudflare all said that they were able to detect and block the intrusions before any of their own customers were affected, but they all highlighted the fact that they had notified Okta about the situation before Okta warned them—in some cases weeks before Okta's public disclosure.
“This is the second time Cloudflare has been impacted by a breach of Okta’s systems,” a group of Cloudflare engineers wrote on Friday. They went on to share a list of recommendations for how Okta can improve its security posture: “Take any report of compromise seriously and act immediately to limit damage. Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them. Require hardware keys to protect all systems, including third-party support providers.”
The Cloudflare engineers added that they view taking protective steps like these as “table stakes” for a company like Okta that provides such crucial security services to so many organizations.
When WIRED asked Okta a series of questions about what steps it is taking to improve customer service defenses in the wake of the two breaches, and why there appears to be a lack of urgency when the company receives reports of potential incidents, the company declined to comment. A spokesperson said it would share more information about these subjects soon.
“I really want to know what technical controls Okta had implemented following the 2022 breach, and why this time will be different,” says Evan Johnson, cofounder of RunReveal, which develops a system visibility and incident detection tool. “My hunch is they did not roll out hardware security keys, or didn’t roll them out for their contractors doing support.”
Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, emphasizes that “the issue is bigger than Okta,” noting that software supply chain attacks and the volume of hacks companies must defend against is significant. “It's unfortunately common for service providers of any size to have trouble believing they are the source of an incident until definitive proof is offered,” he says.
Still, Williams adds, “there's a pattern here with Okta, and it involves outsourced support.” He also notes that one of the remediations Okta suggested to customers in the wake of the recent incident—carefully removing support session tokens that could be compromised from troubleshooting data—is not realistic.
“Okta's suggestion—that somehow the customer must be responsible for stripping session tokens from the files they specifically request for troubleshooting purposes—is absurd,” he says. “That's like handing a knife to a toddler and then blaming the toddler for bleeding.”