Okta: October Data Breach Affects All Customer Support System Users

Cyber Security Threat Summary:
Last month, Okta disclosed that attackers breached its customer support system, gaining unauthorized access to files associated with 134 Okta customers, some of which were HAR files containing session tokens that could be used for session hijacking attacks. After re-examining the actions taken by the actors, Okta has now come out with a statement disclosing that the threat actor also downloaded a report that contained the names and email addresses of all Okta customer support system users. The report also contains input fields for the company name, user type, role, phone number, mobile number, time zone, and SAML Federation ID. However, Okta states that the majority of the fields in the report are blank and do not contain credentials or sensitive personal data.

Security Officer Comments:
Given that the names and emails were downloaded by the actor, this information could be used to launch targeted phishing attacks to gain further sensitive data from victims. As such Okta recommends the following steps be taken to stay protected against potential attacks:

  1. Implement MFA for admin access, preferably using phishing-resistant methods like Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
  2. Enable admin session binding to require re-authentication for admin sessions from new IP addresses.
  3. Set admin session timeouts to a maximum of 12 hours with a 15-minute idle time, as per NIST guidelines.
  4. Increase phishing awareness by staying vigilant against phishing attempts and reinforcing IT Help Desk verification processes, especially for high-risk actions.