Okta's analysis into the aperture of its Help Center ambiance aftermost ages appear that the hackers acquired abstracts acceptance to all chump abutment arrangement users.
The aggregation addendum that the blackmail abecedarian additionally accessed added letters and abutment cases with acquaintance advice for all acquaintance advice of all Okta certified users.
At the alpha of November, the aggregation appear that a blackmail abecedarian had acquired crooked acceptance to files central its chump abutment arrangement and that aboriginal affirmation adumbrated a limited abstracts breach.
According to capacity baldheaded at the time, the hacker accessed HAR files with accolade and affair tokens for 134 barter - less than 1% of the company’s customers, that could be acclimated to annex Okta sessions of accepted users.
Further analysis of the advance appear that the blackmail abecedarian additionally "downloaded a address that absolute the names and email addresses of all Okta chump abutment arrangement users."
"All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) barter are impacted except barter in our FedRamp High and DoD IL4 environments (these environments use a abstracted abutment arrangement NOT accessed by the blackmail actor). The Auth0/CIC abutment case administration arrangement was additionally not impacted by this incident" - Okta
According to the company, the baseborn address included fields for abounding name, username, email, aggregation name, user type, address, aftermost countersign change/reset, role, buzz number, adaptable number, time zone, and SAML Federation ID.
However, Okta clarifies that for 99.6% of the users listed in the report the alone acquaintance advice accessible were full name and email address. Also, the aggregation assured that no accreditation were exposed.
Okta's account addendum that abounding of the apparent users are administrators and 6% of them accept not activated the multi-factor affidavit aegis adjoin crooked login attempts.
The aggregation states that the intruders additionally accessed abstracts from "Okta certified users and some Okta Customer Identity Cloud (CIC) chump contacts" alternating with Okta agent details.
"We additionally articular added letters and abutment cases that the blackmail abecedarian accessed, which accommodate acquaintance advice of all Okta certified users and some Okta Customer Identity Cloud (CIC) chump contacts, and added information. Some Okta agent advice was additionally included in these reports. This acquaintance advice does not accommodate user accreditation or acute claimed data" - Okta
Most of the time, names and emails are abundant for a blackmail abecedarian to barrage phishing or amusing engineering attacks that could serve them in assay stages or could advice them access added capacity to adapt a added adult attack.
To assure adjoin abeyant attacks, Okta recommends the following:
- Implement MFA for admin access, finer application phishing-resistant methods like Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
- Enable admin affair bounden to crave re-authentication for admin sessions from new IP addresses.
- Set admin affair timeouts to a best of 12 hours with a 15-minute abandoned time, as per NIST guidelines.
- Increase phishing acquaintance by blockage acute adjoin phishing attempts and reinforcing IT Help Desk analysis processes, abnormally for high-risk actions.
Okta has been a ambition of credential annexation and amusing engineering attacks over the accomplished two years, as hackers aftermost December accessed antecedent code from the company's clandestine GitHub repositories.
In January 2022, hackers acquired acceptance to the laptop of an Okta abutment architect with privileges to admit countersign resets for customers. The adventure impacted about 375 customers, apery 2.5% of the company's applicant base.
The Lapsus$ extortion accumulation claimed the attack and leaked screenshots assuming that they had "superuser/admin" acceptance to Okta.com and could acceptance chump data.