Identity and authentication management provider Okta on Friday disclosed that the recent support case management system breach affected 134 of its 18,400 customers.
It further noted that the unauthorized intruder gained access to its systems from September 28 to October 17, 2023, and ultimately accessed HAR files containing session tokens that could be used for session hijacking attacks.
“The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers,” Okta’s Chief Security Officer, David Bradbury, said.
Three of those affected include 1Password, BeyondTrust, and Cloudflare. 1Password was the first company to report suspicious activity on September 29. Two other unnamed customers were identified on October 12 and October 18.
Okta formally revealed the security event on October 20, stating that the threat actor leveraged access to a stolen credential to access Okta’s support case management system.
Now, the company has shared some more details of how this happened.
It said the access to Okta’s customer support system abused a service account stored in the system itself, which had privileges to view and update customer support cases.
Further investigation revealed that the username and password of the service account had been saved to an employee’s personal Google account and that the individual had signed-in to their personal account on the Chrome web browser of their Okta-managed laptop.
“The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device,” Bradbury said.
Okta has since revoked the session tokens embedded in the HAR files shared by the affected customers and disabled the compromised service account.
It has also blocked the use of personal Google profiles within enterprise versions of Google Chrome, preventing its employees from signing in to their personal accounts on Okta-managed laptops.
“Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators,” Bradbury said.
“Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal.”
The development comes days after Okta revealed that personal information belonging to 4,961 current and former employees was exposed after its healthcare coverage vendor, Rightway Healthcare, was breached on September 23, 2023. Compromised data included names, Social Security numbers, and health or medical insurance plans.