Latest Okta Breach: Stolen Credentials and Third-Party Risk

[UPDATED] On Oct. 19, Okta informed its customers of a cybersecurity incident involving unauthorized access to its customer support system. After completing a root cause analysis and remediation, the identity and access management company ascertained that 134 of its customers were impacted.

BeyondTrust, 1Password, and Cloudflare were among the impacted companies. Each of these companies identified compromises in their systems related to the Okta breach. How did a threat actor breach Okta, and what should CISOs think about as third-party risk continues to be an inevitable challenge in their enterprises’ interconnected ecosystems?

Discovering and Responding to the Breach

Okta confirmed that a threat actor gained access to files in its customer support system from Sept. 28 to Oct. 17, according to the company’s executive summary of the incident. Password manager 1Password identified suspicious activity on its Okta instance on Sept. 29, according to a company blog. Identity and access management company BeyondTrust flagged an attack on an in-house Okta administrator account on Oct. 2, according to an extensive blog on the cybersecurity incident. On Oct. 18, cloud services company Cloudflare traced attacks on its system back to Okta, according to its blog.

Related:FTC to Require More Data Breach Reporting, Security Plan

Marc Maiffret, chief technology officer at BeyondTrust, tells InformationWeek that his company spent two weeks trying to escalate the issue with Okta. “We quickly tried to work with Okta, pivoting from their support team to try to talk to the security team and get things escalated and that became kind of a two-week endeavor,” he shares.

BeyondTrust, 1Password, and Cloudflare all report that the breach did not impact their data or their customers.

Okta determined that the exposure was linked to an employee signing on to a personal Google profile in Chrome on a company laptop. The username and password for a service account was saved in the employee’s personal Google account. That personal account was likely compromised, allowing exposure of the service account credentials, according to Okta’s executive summary.

“We have notified all customers of our findings and have completed remediations to protect all our customers,” according to an emailed statement from Okta.

The company’s remediation efforts include disabling the compromised service account and enhanced monitoring for its customer support system. Additionally, it released “session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators,” according to the executive report.

Related:Damage Control: Addressing Reputational Harm After a Data Breach

Okta has also taken steps to prevent its employees from logging into personal Google profiles on Chrome when using company laptops.

Responding to Ongoing Third-Party Risk

This is not the first time Okta or its customers have been breached. In 2022, extortion group Lapsus$ hacked the company. And Okta employee personal and healthcare data was exposed via a third-party vendor breach.

An earlier version of this article stated that a prior breach of Okta this year led to attacks against MGMResorts and Caesars. Okta shared an emailed statement for clarification following the initial publication of this story. 

“We are aware of a social engineering cyberattack on MGM and Caesars. There has been no compromise or breach of Okta systems and the Okta service remains fully operational and secure. We are available to assist MGM and Caesars in any way we can,” according to the statement. 

In August, Okta published a blog warning about attacks against Okta customers in which threat actors leveraged social engineering to gain privileged roles. 

Breaches like this are likely to happen again, and cybersecurity leaders need to consider what that means for their enterprises.

Related:What Are the Biggest Lessons from the MGM Ransomware Attack?

Third-party risk is intrinsic to modern operations for most enterprises. “Any modern enterprise today probably has a dozen odd of their core vendors and providers that, if they’re breached, could pose a significant security risk [to] the organization,” says Boaz Gelbord, chief security officer at cloud company Akamai.

Service providers like Okta are particularly attractive because they offer threat actors the keys to compromising multiple organizations and pursuing a wide variety of nefarious objectives.

“It is going to happen; it's just the nature of being one of the top identity providers in the space,” Jason Rebholz, CISO at cyber insurance company Corvus Insurance, emphasizes. “So, how many of your vendors are using them? Do you know that?”

Having an ongoing dialogue with critical service providers can help CISOs and their teams answer that question. It is important to talk about “what some of their defense mechanisms are and what are some of the ways that the complexities of their systems and vulnerabilities may interact with your own systems,” says Gelbord.

Accounting for the potential vulnerabilities of critical providers during pen testing and tabletop exercises can help enterprises broaden their incident response plans in anticipation of future third-party breaches.

Understanding Human Error

On the surface, the Okta breach is the result of human error. “This employee made a mistake: the sign-on to their personal Google account, and who hasn't?” says Tal Skverer, research team lead at Astrix Security, an identity security company.

The mix of personal and corporate use on a company laptop is not new, and it is not going away. Enterprises in some tightly regulated industries may have restrictions in place to prohibit that personal use, but that is not the norm.

“There's always going to be some level of access to environments that are not completely corporate controlled,” says Gelbord.

Human error is also outside of corporate control. While user education is a valuable tool, it is not a last line of defense. “If you are relying on your users to be your first and only line of defense and security, you've already lost,” says Rebholz.

The more important question is not how to stop user error, it is what kind of defense-in-depth strategies does a security team have in place to account for the inevitability of humans making mistakes?

In the case of a breach like the one Okta suffered, Skverer emphasizes the importance of securing and monitoring service accounts. “Treat service accounts as more risky than your average user,” he explains. He recommends taking measures to secure service account credentials, even if people make mistakes.

“How do we try to protect those service accounts so that people don't even have the option to try to save that to the personal account or a company account?” Rebholz asks.

Plus, monitoring service account activity can alert organizations to suspicious behavior.

Learning From the Breach

This Okta breach serves as a reminder of third-party risk and human error. CISOs know that these are pressing issues that impact how they do their jobs, but cybersecurity incidents linked to both persist. What lessons can security leaders learn to build resilience in the realities of today’s threat landscape?  

BeyondTrust’s Maiffret points out that many enterprises have a siloed approach to security. Different teams, often working in isolation, run the on-premises, cloud and SaaS infrastructure elements of enterprise environment. And attackers are all too eager to take advantage of those siloes, first compromising one part of the IT infrastructure and then pivoting to another.

“I've had many CISOs reaching out that are basically trying to figure out first and foremost how should they think about it organizationally. How do they break down these silos internally?” he tells InformationWeek. “It's not a single product or something that you just throw at a problem like this. It is how do you set yourself up organizationally [so] that you have a central view and understanding of identity security?”