Okta is an Identity Management company, other organizations utilize Okta to provide them with secured authentication management. A single pane of glass access to multiple systems. Many top fortune 500 organizations relay on Okta to provide access to internal systems using their Identity Access Management technology. It is extremely concerning that Okta has recently reported that their systems have been breached. The company I currently work for is impacted because our remote solutions provider utilizes Okta and reported to us that they have conducted an Incident Response and the result of their investigation indicates none of their systems were compromised in results of Okta’s breach.
According to Cloudflare “January 2022, hackers outside Okta had access to an Okta support employee’s account and were able to take actions as if they were that employee. In a screenshot shared on social media, a Cloudflare employee’s email address was visible, along with a popup indicating the hacker was posing as an Okta employee and could have initiated a password reset.”. What is more interesting is that the compromise was announced via a Tweet made by the threat actors. Cloudflare caught this on Twitter then communicated with their internal SIRT (Security Incident Response Team) team.
The threat actors seem to be looking for source code via Okta access. The timeline is still vague DarkReading indicates the breach or signs of the breach started in December of 2021, Cloudflare have information stating January 2022. Graham-Cumming wrote “potential suspicious activities, including password resets over the past three months”. The response from Okta was to initiate the internal SIRT response teams and practice lease privilege policies.
I have wrote 3 cybernews stories thus far in class, all of them leave customers and partners of the compromised organizations in the dark and left to fend for themselves. Not only that, they are also left with no information on how to best move forward except with the standard “Reset all passwords and harden your systems”.
DarkReading March 22, 2022, Security Teams Need to Investigate the Okta Breach Themselves Access on March 24, 2022: https://www.darkreading.com/edge-articles/security-teams-need-to-investigate-the-okta-breach-themselves
John Graham-Cumming March 22, 2022, Cloudflare’s investigation of the January 2022 Okta Compromise Accessed on March 24, 2022: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/