Security Breach: US software company with thousands of customers hit by hacker attack, customers’ access tokens stolen

US-based software company Okta, which provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach. Hackers have been able to break into its customer support unit. Okta has claimed that the incident affected a “very small number” of customers, however, it appears that the hackers responsible had access to the company’s support platform for at least two weeks before it fully contained the intrusion.
Hackers were reportedly able to view files uploaded by certain Okta customers as part of recent support cases, admitted Okta chief security officer David Bradbury. “It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted,” he mentioned in a blog post late on Friday (October 21).
Bradbury said that Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity.
“HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” he informed.
Okta mail to customers
All customers who were impacted in the security breach have been notified by the company. In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”

“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” the advisory added. “In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”
How the hacking attack was discovered
Security firm BeyondTrust, which uses Okta, said that it notified the company of a potential breach on October 2 after it detected an attempted compromise to its network.
The incident began when BeyondTrust security teams detected an attacker trying to access an in-house Okta administrator account using a valid session cookie stolen from Okta’s support system.
“BeyondTrust’s own Identity Security Insights tool alerted the team of the attack, and they were able to block all access and verify that that attacker did not gain access to any systems,” said the company.