Okta Hacked Yet Again: 2FA Firm Failed to 2FA

Once is happenstance. Twice is coincidence. Five times is sheer incompetence.

Okta, an authentication cloud service, allowed its customers’ authentication tokens to be stolen. When a customer discovered the hack, they were basically ignored for two weeks—despite contacting Okta several times.

It wouldn’t have been a problem, had Okta enforced its own 2FA. In today’s SB Blogwatch, we see the irony.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Don’t go-ooo.

You Had One Job

What’s the craic? Sergiu Gatlan reports—“Okta says its support system was breached”:

“Took Okta over two weeks”
Okta says attackers accessed files containing cookies and session tokens uploaded by customers to its support management system after breaching it using stolen credentials. … While the company has yet to provide details on what customer information was exposed or accessed in the breach, the?…?system breached in this attack [contains] sensitive data, such as cookies and session tokens, which threat actors could use to hijack customer accounts.
…
Last year, Okta disclosed that some of its customers’ data was exposed after the Lapsus$ data extortion group gained access to its administrative consoles in January 2022. One-time passwords (OTPs) delivered to Okta customers?…?were also stolen by the Scatter Swine threat group?…?in August 2022. Okta-owned authentication service provider Auth0 also disclosed in September that some older source code repositories were stolen from its environment. … Okta revealed its own source code theft incident in December after the company’s private GitHub repositories were hacked.
…
An Okta spokesperson did not respond to questions regarding the date of the breach and how many customers were affected. [But] one of the affected customers?…?provided additional insight:?…?BeyondTrust’s security team detected and blocked an attempt to log into an in-house Okta administrator account?…?using a cookie stolen from Okta. … It took Okta over two weeks to confirm the breach.

Feeling some déjà vu? All aboard the Brian Krebs cycle—“Hackers Stole Access Tokens from Okta”:

“Caesar’s Entertainment and MGM Resorts”
Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach?…?for at least two weeks. … Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an?…?HAR file). These are sensitive files because they can include the customer’s cookies and session tokens, which intruders can then use to impersonate valid users.
…
Okta’s Deputy Chief Information Security Officer Charlotte Wylie said Okta initially believed that BeyondTrust’s alert on Oct. 2 was not a result of a breach. [It] comes just weeks after casino giants Caesar’s Entertainment and MGM Resorts were hacked. In both cases, the attackers managed to social engineer employees into resetting the multi-factor login requirements for Okta administrator accounts.

So a major authentication company gets hacked for the fifth time in under two years? If only there was some penalty for that. Rohan Goswami bags this angle—“Shares fell 11.5% on the news”:

Some of the largest companies in the world use Okta to streamline their login and identity management systems, including FedEx and Zoom, according to the company. That makes Okta a high-value target for threat actors, who in a worst-case scenario could hypothetically gain access to dozens of other companies if successful in breaching Okta’s defenses.

Who’d use Okta after this? Not miohtama:

It’s beyond my comprehension why anyone is using Okta anymore. Authentication is the most critical piece of any IT. Okta has proven again and again to be untrusted party lacking integrity. It’s just a time bomb about to go off.

Nor skotl:

Okta’s sole reason for existing is to add security to your authentication processes. [But] here we are again, with yet another breach.

People are being pretty polite. But this Anonymous Coward is less mealy-mouthed:

Okta is some real dog****. Anyone using Okta should be running for an exit.

What’s going on in that company? This pseudonymous commentator claims to be an Okta employee:

Until March 2022, Todd, Okta’s CEO, was accessing Okta systems with his personal (non-corp) laptop. He thought this was hilarious and made jokes about it at our company all-hands. I had never worked at a company where security was taken so casually.
…
The organization has so many problems. And this latest customer-facing escapade is no surprise.

There but for the grace of [deity] go we. aborsy cares not for peace, love, nor understanding:

Identity providers, password managers, VPN companies, [etc.] should never get hacked. They make their money from security products. I won’t use them if they are breached. They probably have deeper problems.
…
We can’t prove that a security company will not be breached. But once they have a significant breach, it might be time to move on. They likely have other problems. I’m looking at you LastPass!

Okta holds the keys to the castle. It has had?…?security incidents in the past. A compromise of the Okta systems will have a huge impact. … The margin for error is small.

Well, quite. And neither does joarD:

The company should tank, they should be ashamed of themselves for such knuckle headed foolery.
…
Their customer told them they had a breach. … Terrible dinosaur company. There is no excuse for these shameful repeat offenses. … You deserve to collapse and go bankrupt.
…
Okta needs to go. … Look at Okta’s track record, it speaks for itself.

Meanwhile, u/SteampunkSpaceOpera trusts no one:

Okta just sent me another email today touting their Zero Trust solutions. I do have zero trust in them.

And Finally:

Everybody sing along

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: gnuckx select1 (cc:by; leveled and cropped)