Okta support system supply chain attack

Type

Incident

Actors

❓Unknown

Pub. date

October 20, 2023

Initial access

End-user compromise

Impact

Supply chain attack

References

https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-systemhttps://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system

Status

Stub

Last edited

Jun 2, 2024 8:02 AM

The threat actor gained access to Okta’s environment, and figured out that Okta was storing unsanitized HAR files (recordings of browser activity) that customers were sharing with the Okta support team to help with troubleshooting. These HAR files sometimes contained customer session tokens for Okta’s platform, so they represented a veritable goldmine for the threat actor, who managed to reuse these session tokens to gain access to a few different organizations. Some of those organizations even came forward to publicly state that they were affected, which is a rare occurrence.