(Tiffany Hagler-Geard/Bloomberg via Getty Images)
Okta initially said last month’s breach of the company’s systems affected a “very small number” of clients, and today it specified that the incident ensnared 134 corporate customers.
The company revealed the finding in a new report about the breach, which targeted Okta’s customer support system. The attack immediately raised red flags since Okta is a major single sign-on provider, enabling users to log into multiple websites and apps through a single method.
The new report reveals the hacker initially gained access on Sept. 28. It wasn’t until nearly three weeks later—on Oct. 17—when the hacker was booted from Okta's customer support system.
By gaining access, the hacker was able to view HTTP archive files that corporate clients had uploaded to Okta’s systems to troubleshoot issues. These archive files could contain sensitive internet cookies and session tokens of a client, paving the way for a hacker to impersonate valid Okta users.
Okta points out the 134 affected customers represent less than 1% of Okta’s total customer base, which tops 18,000 businesses. The company adds that “the threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event.” Hence, Okta isn’t necessarily wrong to say the breach affected only a small portion of its customer base.
(Tiffany Hagler-Geard/Bloomberg via Getty Images)Still, the company wasn’t able to detect the hacker’s activities on its own. On Sept. 29, an Okta customer, 1Password, notified the company about suspicious activity on their account. Two other customers, security provider BeyondTrust and Cloudflare, would later report the same.
But despite the early warnings, Okta struggled to find evidence of the breach over the next 14 days due to an oversight in how the company’s own system records access logs. It was only on Oct. 13, when BeyondTrust supplied Okta with an IP address associated with the hacker, that the company began to pin down the threat. Okta has since contacted all the affected customers while patching the flaws the hacker exploited to break in.
The report also addresses a mystery about how the hacker was able to infiltrate the customer support system in the first place. Okta suspects one of its own employees was the weak link. According to the company, the staffer had “signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop.”
“The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device,” the company added.
The breach marks the third time Okta has suffered a hack over the past two years. The previous incidents involved a hacker breaking into the company’s GitHub repository and a cybergang known as LAPSUS$ breaching the company’s network.
On Thursday, Okta also reported another data breach, this time from a third-party health vendor. It looks like the incident only affected the company’s employees. According to Okta’s breach notice, the hacker stole sensitive data from a vendor the company was using to help employees find the healthcare providers.