Okta Employee’s Google Account Leads to Security Breach

Okta, the US-based IT Service Management Company, acknowledges that the breach of the employee’s personal Google account or personal device is the most likely channel for exposure of the credential during the recent hack of its support system.  

According to the firm, between September 28, 2023, and October 17, 2023, a threat actor obtained unauthorized access to files connected to 134 Okta customers, or less than 1% of Okta customers.

Recently, Okta disclosed a data breach caused by a third-party vendor, Rightway Healthcare, Inc., which exposed the personal information of around 5,000 workers.

Specifics of the Breach

The support case management system compromised in this attack contained HTTP Archive (HAR) files, which facilitates troubleshooting by replicating browser activity.

Cookies and session tokens, among other sensitive data, can be found in HAR files and used by malicious actors to pose as legitimate users.

According to the firm, the threat actor was able to utilize these session tokens to hijack the legitimate Okta sessions of five customers, three of whom have published their responses to the incident.

Unauthorized entry into Okta’s customer care system was made possible by a service account that was stored within the system. Permission to view and update customer support cases has been granted to this service account.

“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” said David Bradbury, Chief Security Officer at Okta.

“The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device”.

While doing a thorough investigation, Okta did not find any suspicious downloads in their logs for 14 days.

When a user opens and views files related to a support case, a unique log event type and ID are generated. In this instance, the threat actor went directly to the Files tab in the customer support system, resulting in the creation of a completely different log event with a different record ID.

According to Bradbury, Okta’s first inquiries concentrated on cases involving access to support cases, and they then evaluated the associated records. 

BeyondTrust gave Okta Security a “suspicious IP address” associated with the threat actor on October 13, 2023. The business discovered the “additional file access events” linked to the hacked account using this indicator.

• Disable the compromised service account 
• Blocking the use of personal Google profiles with Google Chrome 
• Enhanced monitoring of the customer support system
• Binding Okta administrator session tokens based on network location

“Okta administrators are now forced to re-authenticate if we detect a network change”, Bradbury said. Customers can activate this functionality in the Okta admin portal’s early access section.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.