Unpacking the Okta Data Breach

Unpacking the Okta Data Breach: How It Happened

In recent years, the increasing frequency of data breaches has raised concerns among businesses and consumers alike. The Okta data breach serves as a stark reminder of these vulnerabilities, especially considering that in 2024, the average total cost of a data breach in the United States reached a staggering $9.36 million. This incident not only highlights the financial implications of such security failures but also underscores the importance of timely detection. With an average of 194 days taken globally to identify a data breach in 2024, which is a slight improvement from 2023, , organizations must prioritize their security measures to mitigate risks and protect sensitive information.

Who is Okta?

Founded in 2009, Okta is an identity and access management company. It was a forerunner of single sign-on, and many companies adopted the Okta portal to reduce the number of passwords users have to deal with. Okta also provides API access management, MFA, and other IAM solutions.  

Discovery of the Breach

The Okta data breach started when an employee’s Gmail account was compromised.  They had logged into their personal Gmail on their work laptop and also saved their work credentials in Chrome.  The compromise led to malware being installed on the laptop, which was used to gain access to Okta’s support system.  The hackers targeted the unsanitized HAR files submitted by Okta’s customers during the normal troubleshooting process.  The hackers then went to these companies and tried to breach their systems, largely without success. 

It was 1Password, an Okta customer, that first alerted Okta of suspicious activity that they suspected had originated with Okta in late September of 2023.  Okta suspected that 1Password had been the victim of a phishing attack and dismissed the claim.  

A few days later, on October 2nd, BeyondTrust uploaded a HAR file to Okta support while working on an issue.  A HAR file is a log of a web browser’s interaction with a website and is useful for diagnosing performance and other issues. Within 30 minutes, they saw an attacker attempt to breach the BeyondTrust Okta environment using a valid session cookie.  Thankfully, they had authentication policies in place that only allowed trusted users on trusted devices to access their Okta environment.

On October 17th, using the information provided by BeyondTrust, Okta pinpointed a service account with unusual activity that had previously gone unnoticed.  The service account and all associated sessions were terminated.  

On October 19th, Okta notified 1Password, Cloudflare, BeyondTrust, and a couple of others that they had been impacted by a data breach. At this time, Okta believed these were the only customers impacted.  

Finally, in December 2023, the full scope of the breach was revealed. The hackers gained access to the files of 134 different customers and also downloaded a report listing the names and e-mail addresses of all customers who had used Okta support. These were used to launch phishing and other targeted attacks against the companies who had the bad luck to have needed Okta’s support.  

What next?

After notifying the impacted customers and the appropriate regulators, Okta set to work. As an identity provider, transparency and thoroughness were the only hope of regaining customer trust. 

1. Independent Forensic Investigation: Okta engaged Stroz Friedberg, a leading cybersecurity forensics firm, to conduct an independent investigation, which confirmed the company’s initial findings and identified no further malicious activity.
2. Security Enhancements: In response to the breach, Okta implemented several security improvements, including:
   • Zero Standing Privileges for Administrators: Ensuring administrative roles are assigned only when necessary and for limited durations.
   • Multi-Factor Authentication (MFA) for Critical Actions: Requiring additional authentication steps for high-impact administrative tasks.
   • Enhanced Session Security: Implementing measures to detect and block requests from anonymizers and applying IP binding to Okta products and the Admin Console.
   • Restricting API Access: Enforcing allowlisted network zones for APIs to prevent unauthorized access. 

Oka deserves credit for being forthright with how the breach happened and what steps they took to prevent it from happening again.  While Monday morning quarterbacking always takes place after a major breach, there are plenty of large organizations that had – undoubtedly still have – similar (or worse!) Holes in their security posture.  

A Better Way Forward

Some of the remedial actions taken highlight a critical problem that security measures often face – security comes at the expense of the user experience.  It makes sense to session-limit administrators, and enabling MFA ensures that a compromised password will not result in widespread access, but one can imagine the poor Okta admins constantly having to reauthenticate and fumbling for their phones to accept a push notification or find a one-time passcode a million times over the course of a single work day.  Besides the massive inconvenience this poses, it isn’t really addressing the real threat – after all, compromised credentials are the cause of over 80% of all data breaches.

Passwordless authentication is a rarity in that it is not only more secure but a significantly better user experience.  Rather than racing to get a push notification or waiting for a text message, the authentication process happens with no user intervention required.  Not only is this a win for users and security, but IT staff have far fewer password issues to deal with as well.  

An ounce of prevention is worth a pound of cure, as the saying goes, and while Okta set the standard for a clear, transparent post-breach response, the data breach itself serves as a reminder of the vulnerabilities inherent in traditional security methods.  Looking towards the future with passwordless authentication will stop the next breach before it happens (and let you put your phone down once in a while!)