Okta has disclosed that hackers gained access to its customer support management system, exposing sensitive data belonging to some customers.
The company said the threat actors were able to view files uploaded by certain Okta customers as part of recent support cases. These files may have contained sensitive data, including cookies and session tokens, that could be used to impersonate valid users.
Okta said it has worked with affected customers to investigate the incident and has taken measures to protect its customers, including the revocation of embedded session tokens. The company also recommends that customers sanitize all credentials and cookies/session tokens within a HAR file before sharing it.
Okta did not disclose how the hackers stole the credentials to its support system or whether access to the compromised system was protected by two-factor authentication.
Security firm BeyondTrust said it alerted Okta to suspicious activity earlier this month after detecting an attacker using a valid authentication cookie trying to access one of BeyondTrust’s in-house Okta administrator accounts. BeyondTrust’s access policy controls stopped the attacker’s initial activity, but limitations in Okta’s security model allowed them to perform a few confined actions. BeyondTrust was eventually able to block all access.
BeyondTrust said it notified Okta of the incident, but did not receive a response for more than two weeks.
The sources for this piece include an article in ArsTechnica.