Initial Access

Stolen Credentials leading to valid account access

Attackers used stolen credentials likely found from dumps online to successfully login to an employee's personal Google account, which also had saved credentials for a service account that had permissions to view and update support cases.

Persistence

Maintaining Access

Attackers leveraged the service account's authenticated access to stay inside Okta's system, utilizing active sessions during the window of access.

Privilege Escalation / Access Level

Service account

Attacker leveraged the service account with elevated permissions to view and update customer support cases, enough to access customer-uploaded attachments.

Discovery

Identify Data

Attacker used the support system to identify what data/users/files were available, including names + emails of ALL Okta customer support system users.

Collection

Data Gathered

Attacker gathered support case attachments, notably HAR files (browser troubleshooting logs) that contained session tokens. The attacker would specifically access the "Files" tab workflow on the support system, which affected what logs were initially reviewed.

Data Exfiltration

Stole from Okta

Okta disclosed two main exfiltration buckets that the attacker got away with. This included customer support attachment/files from the support system (Over 134 customers) and user list report (names and email of ALL Okta customer support system users).

Impact

Aftermath of Okta

Attackers utilized the session token from the HAR files to hijack sessions for 5 customers. Cloudflare's Okta instance was one of the five victims. BeyondTrust was another victim, however it was swiftly detected and blocked by their team. Most notably, Okta's customer base is left at a extremely high risk for phishing/social engineering due to customer information being leaked, allowing targeted phishing emails to be crafted.

Response

Okta's Response

Okta disabled the service account that was compromised by the attacker on October 17th and revoked sessions tokens found in HAR files. There has been no evidence of further malicious activity determined.