OKTA
Back in October Okta reported a breach that they said only affected 134 (<1%) of their customers. But they were wrong. WAY wrong! In fact, the attackers were able to steal EVERY customer support clients information!
“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident. ”
Here’s exactly what they were able to get on every single one of their support clients:
– Created Date
– Last Login
– Full Name
– Username
– Company Name
– User Type
– Address
– Date of Last Password Change / Reset
– Role name / descriptions
– Phone number
– Mobile number
– Time Zone
– SAML Federation ID
Additionally, Okta said that the attackers also downloaded other reports and support cases which contain contact information of Okta certified users and some Okta Customer Identity Cloud contacts and “other information”. Oh… and “some Okta employee information” was also stolen.
Okta has stated that the attackers did NOT get user credentials or sensitive personal data. Although I’m curious as to what exactly “sensitive personal data” means, since they did get full name, address, cell phone number and SAML Federation IDs. They also stated that for 99.6% of all the users in the report that all they got was full name and email address.
They haven’t reportedly seen any active attacks using this information yet, but that doesn’t mean it’s not happening.
I think we can all see where this is going… MASSIVE social engineering / phishing / social media attacks are about to happen.
So let’s cut to the big question, What can Okta customers do today to keep safe?
– Implement MFA if not already.
– Make sure to have phishing resistant email notifications on
– Okta says to use Okta Verify FastPass (I would suggest a non-Okta alternative given all the recent breaches). Okta also recommends to use FIDO2 WebAuthn or PIV/CAC cards, but we all know how long that will take to implement)
– Enable Admin Session Binding is strongly recommended by Okta, an Early Access feature in Okta that requires admins to reauthenticate if their session is reused from an IP with a different ASN (Autonomous System Number).
– Admin Session Timeout: To align with NIST AAL3 (Authentication Assurance Level 3) guidelines and increase the security posture of every customer, Okta is introducing Admin Console timeouts that will be set to a default of 12-hour session duration and a 15-minute idle time. Customers will have the option to edit these settings. This will be available as an Early Access feature starting November 29th for preview orgs and December 4th for production orgs. The feature will be available for all production orgs by January 8th, 2024.
– Okta also strongly recommends that customers review their IT Help Desk verification processes and ensure that appropriate checks, such as visual verification, are performed before performing high risk actions such as password or factor resets on privileged accounts.
A lot of articles reporting on this like to end the articles noting that Okta stock dumped almost 10% this morning with the news, but as of this afternoon, it’s already higher than yesterdays opening price. Looks like a massive buy this morning after the dump to rebound the stock. My guess is that Okta attempted to save the price. If you want to look at some shocking stock price action for Okta, since the announcement of the breach in October, they’ve dropped almost 20% and if you go back to November of 21, they’re down around 75% and holding.
I’ve already had clients ask me what I think this means for Okta and are clients going to rip and replace to something else. I don’t think so. The product still works great and I don’t see companies spending hundreds of thousands, if not millions of dollars buying something else and then spending the time replacing it all out. What I do see happening is that for companies looking to buy Okta, or renew, they may have a change of heart. There’s been a lot of bad news around Okta in the past couple months, and I don’t envision many CIO / CISOs betting their career on a product that’s been in the headlines so much for access breaches when that’s exactly what their products are meant to prevent.
Maybe Okta should take a note out of their own playbook and look inwards on implementing those highly suggested changes to prevent breaches.
That’s all for today! If you have any questions or want to know more information, leave a comment below, or hit me up on email.
In the meantime, Stay alert out there and trust no one. Later.
Subscribe to the show for our audio feeds everywhere podcasts are found:
And follow the show on all social media platforms: