Okta, a leading identity and authentication management firm, recently reported a security incident affecting a small fraction of its client base. On a Friday update, the company clarified that out of its 18,400 customers, only 134 were affected by the breach in their support case management system. The breach, which persisted from September 28 until October 17, 2023, allowed an unauthorized party to access and potentially exploit HAR files, compromising session tokens.
David Bradbury, Chief Security Officer at Okta, highlighted that this breach enabled the attacker to take over the Okta sessions of five customers actively. Among the compromised, 1Password, BeyondTrust, and Cloudflare have been publicly acknowledged as affected entities, with 1Password detecting dubious activities as early as September 29. The remaining two clients were notified of the breach on October 12 and October 18, respectively.
Upon discovery, Okta confirmed the breach on October 20, tracing the origin to a compromised service account within their system. This account, which had undue access to client support details, was linked to an employee’s personal Google account and accessed via their corporate laptop—a potential breach point.
In response, Okta took decisive measures by invalidating the stolen session tokens and deactivating the involved service account. To strengthen security postures further, Okta has prohibited the use of personal Google accounts on corporate Chrome browsers and introduced enhanced session token security measures for administrators, compelling reauthentication with any network switch. These protections are accessible to clients through the Okta admin early access panel.
Moreover, Okta faced another breach through its healthcare coverage provider, Rightway Healthcare, on September 23, which exposed personal data of nearly 5,000 individuals, including sensitive information such as Social Security numbers and healthcare details