Okta reported that on October 20 an attacker leveraged a stolen credential to access its backend support case management system. While the identity and access management firm is downplaying the impact of the breach, experts suggest that the breach may have exposed sensitive customer data.This was not the first time the identity and access management (IAM) provider reported a breach. The last one was in March of 2022 when the Lapsus$ extortion group reported on Telegram that it had breached Okta.David Bradbury, chief security officer at Okta, said in an advisory that while the threat actor was able to view files uploaded by certain Okta customers as part of recent support cases, he noted that the Okta support case management system is separate from the production Okta service, which is fully operational and had not been impacted."All customers who were impacted by this have been notified," wrote Bradbury. "If you're an Okta customer and you have not been contacted with another message or method, there's no impact to your Okta environment or your support tickets." Bradbury did not indicate how many customers had been notified.While Okta downplayed the incident, Ted Miracco, chief executive officer at Approov, said it’s not altogether reassuring that the breach was limited to Okta's support management system, as that system likely contains valuable information related to customer support cases, including files uploaded by customers.Miracco said if attackers were able to access and view these files, they may have gained access to sensitive data such as customer credentials, personally identifiable information , or confidential documents. “The attackers could also attempt to use these credentials to escalate their access privileges, gain entry to other systems or services, or launch targeted attacks against Okta customers,” said Miracco. “This incident highlights the fact that while user authorization is a fundamental aspect of access control, relying solely on it can leave systems vulnerable. Incorporating technologies like multi-factor-authentication, and mobile device or app attestation can add extra layers of security to APIs, making it much harder for attackers to gain unauthorized access.”Tim Davis, vice president of solution consulting at DoControl, said it’s very common for ticketing support systems to run as Software as a Service (SaaS) applications. SaaS offers ease of access (anyone with an internet connection can access a SaaS platform) and the built-in data sharing capabilities for purposes of collaboration and productivity. However, Davis said these productivity gains in user and data access come at a cost in security, a cost that is still not well understood by most organizations.“SaaS platforms are typically not incentivized to secure the data stored within them or monitor who has access to it, since SaaS vendors want to enable and encourage collaboration,” said Davis. “It’s the responsibility of the organization to secure their data (and their customer's data) that is stored in SaaS applications. This security must include not only user access controls like SSO and MFA, but data access controls and visibility. Finally, it should include methods of detection for when valid user credentials have been compromised – such as behavioral analytics and data access thresholds.”
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds





