Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

Stolen Credentials Expose Okta Customer Data

Executive Summary

On October 19, Okta, an identity and access management (IAM) services provider offering tools like multi-factor authentication and single sign-on, disclosed adversarial activity. This activity involved the use of a stolen credential to access Okta’s support case management system, potentially exposing sensitive customer data. The issue was brought to attention when BeyondTrust, one of Okta’s customers, detected unusual activity in early October.

Okta has since identified and contained the incident, reassured impacted customers, and provided guidance on how to check for any indicators of compromise.

About the Hack

The threat actor leveraged a stolen credential to access Okta’s support case management system and was able to view files uploaded by certain customers.

Particularly, when Okta is troubleshooting with customers, it often requests a recording of a web browser session (an HTTP Archive or HAR file), which may contain sensitive information like cookies and session tokens.

The incident was initially flagged by BeyondTrust on October 2, when they observed unauthorized attempts to create an administrator account within their Okta environment, shortly after sharing a HAR file with Okta.

The disclosure from Okta comes in the wake of recent cyberattacks on casino giants Caesar’s Entertainment and MGM Resorts, where Okta was identified as the initial attack vector. In both cases, the attackers successfully manipulated employees into resetting the multi-factor login requirements for Okta administrator accounts.

Response from Okta

Post-incident, Okta has disabled the compromised customer case management account and invalidated associated Okta access tokens. Okta’s Chief Security Officer, David Bradbury, published a blog post detailing the incident and provided information on how customers can check for any indicators of compromise. He stressed that all affected customers have been notified and outlined steps for customers to ascertain if they were affected.

According to Okta’s Deputy Chief Information Security Officer, Charlotte Wylie, the company initially believed that the alert from BeyondTrust on October 2 was not indicative of a breach in their systems. However, by October 17, Okta had identified and contained the incident by disabling the compromised customer case management account and invalidating associated Okta access tokens. Wylie declined to disclose the exact number of customers who received alerts regarding the potential security issue but described it as a “very, very small subsetof Okta’s more than 18,000 customers.


Importance of Identity and Access Management (IAM): IAM systems like Okta are crucial for organisational security by controlling access to resources. They are fundamental in enforcing security policies, managing user identities, and mitigating unauthorised access risks. The adversarial activity experienced by Okta underlines the importance of having robust IAM systems in place, as they are often targeted by malicious actors aiming to exploit credentials and gain unauthorized access to sensitive systems and data.

Vigilance Towards Providers: Stay updated with advisories, updates, or patches released by IAM providers, and monitor their security posture regularly.

Provider Transparency and Responsiveness: Okta’s disclosure and actions post-incident exemplify the transparency and responsiveness desirable in IAM providers.

Adherence to Best Practices:

  • Regular Audits and Monitoring: Conduct regular security audits and continuous monitoring of IAM systems to detect any anomalous activities or potential vulnerabilities.
  • Multi-Factor Authentication (MFA): Ensure MFA is enabled and properly configured to add an extra layer of security.
  • Educate and Train Employees: Educate employees on the importance of security hygiene and train them to recognise phishing attempts or other malicious activities that could lead to credential theft.
  • Stay Updated: Ensure that the IAM systems are updated with the latest patches and security configurations to mitigate known vulnerabilities.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.