Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit. The hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion . In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases”
The hackers stole access tokens from Okta’s support unit, which included sensitive files such as HTTP Archive (HAR) files. These files contain customer cookies and session tokens, which intruders can use to impersonate valid users . BeyondTrust, one of Okta’s customers, caught the attack earlier this month as it was happening and alerted Okta on Oct. 2. BeyondTrust’s security team detected that someone was trying to use an Okta account assigned to one of their engineers to create an all-powerful administrator account within their Okta environment. When BeyondTrust reviewed the activity of the employee account that tried to create the new administrative profile, they found that — just 30 minutes prior to the unauthorized activity — one of their support engineers shared with Okta one of these HAR files that contained a valid Okta session token .
Okta has worked with impacted customers to investigate and has taken measures to protect its customers, including the revocation of embedded session tokens . In general, it is recommended to sanitize all credentials and cookies/session tokens within a HAR file before sharing it .