Okta access token breach

Request an audit

detect and respond investigate magnifying glass

Okta access token breach

24 October

Summary

1Password confirmed that there has been suspicious activity in their Okta ID management tenant. 1Password confirms after investigation that no 1Password user data was accessed. The same is applicable to Cloudfare and Beyondtrust as both stated that no customer data was stolen.

The malicious behavior was seen on 29 September, it was directed to the employee facing apps. The access was gained by the use of stolen credentials disclosed by Okta.

However there was data retrievable from the support case management system, files that have been uploaded were visible. Okta has informed customers that have been impacted by the breach. The data that was retrievable were HTTP Archive files, these contain sensitive data like: cookie and session tokens, this can then be used by attackers to impersonate valid users.

Security recommendations

Okta recommends sanitizing all credentials and cookies/sessions tokens within a HAR file before sharing. In case of doubt we recommend to perform a reset in case a HAR file has been shared with Okta support.

More information can be found here.

Okta has also provided a list of IoC’s:

IP Addresses:

23.105.182.19

104.251.211.122

202.59.10.100

162.210.194.35 (BROWSEC VPN)

198.16.66.124 (BROWSEC VPN)

198.16.66.156 (BROWSEC VPN)

198.16.70.28 (BROWSEC VPN)

198.16.74.203 (BROWSEC VPN)

198.16.74.204 (BROWSEC VPN)

198.16.74.205 (BROWSEC VPN)

198.98.49.203 (BROWSEC VPN)

2.56.164.52 (NEXUS PROXY)

207.244.71.82 (BROWSEC VPN)

207.244.71.84 (BROWSEC VPN)

207.244.89.161 (BROWSEC VPN)

207.244.89.162 (BROWSEC VPN)

23.106.249.52 (BROWSEC VPN)

23.106.56.11 (BROWSEC VPN)

23.106.56.21 (BROWSEC VPN)

23.106.56.36 (BROWSEC VPN)

23.106.56.37 (BROWSEC VPN)

23.106.56.38 (BROWSEC VPN)

23.106.56.54 (BROWSEC VPN)

User-Agents:

While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.

Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)

Services

IT security assessment

Security & network assessment

Ethical hacking

OT/IoT security assessment

Red & Blue Teaming

M365 assessment

Governance

Decision tree

GDPR assessment

ISO 27k assessment

Social engineering

Cybersecurity maturity assessment

Networking

Security & network assessment

OT/IoT network assessment

Identify

Managed services

Network Operations Centre (NOC)

Security Operations Centre (SOC)

Network as a Service (NaaS)

Security Governance

UBA

Governance

Chief Information Security Officer (CISO)

Information Security Officer (ISO)

Social engineering

Security awareness training

Information Protection & Governance

Security & networking optimization

High-level design

Wireless/wired networking

Network Virtualisation & Automation (SDN)

SD-WAN

Endpoint security

Prevent & protect

Managed services

Security Operations Center (SOC)

CSIRT

Network Operations Centre (NOC)

Network as a Service (NaaS)

Endpoint Detection & Response

Governance

Chief Information Security Officer (CISO)

Data Protection Officer (DPO)

Detect & respond

Managed services

Network Operations Centre (NOC)

Security Operations Centre (SOC)

Network as a Service (NaaS)

CISO as a Service

DPO as a Service

Governance

Chief Information Security Officer (CISO)

Data Protection Officer (DPO)

Recover

Okta access token breach

Okta access token breach

Okta access token breach

Ready to discuss your security needs?