Costly Impact of the Okta Support Breach
In late October 2023, identity management leader Okta disclosed a data breach involving its customer support system. The breach exposed highly sensitive customer data and credentials, highlighting the immense risks of modern customer support platforms. While Okta’s core authentication service was not impacted, the support breach enabled access to confidential customer information. This incident serves as an urgent wake-up call for all companies to lock down their customer support systems.
How the Breach Occurred
According to details from cybersecurity researchers, hackers obtained the login credentials for an Okta customer support account through an undisclosed prior breach. Possessing these stolen credentials enabled the criminals to directly access Okta's online customer support portal and view uploaded customer files.
The primary way the hackers extracted sensitive data was by downloading customer HTTP archive (HAR) files attached to support tickets. HAR files contain detailed recordings of user browser sessions and are commonly shared with support reps to replicate and troubleshoot issues. However, these files can include extremely sensitive information like authentication cookies, API keys, usernames, passwords, and proprietary application code.
With access to customer HAR files, the hackers obtained active session cookies, API keys, and other credentials. This allowed them to impersonate real users and break into confidential customer systems and data by leveraging Okta’s trusted access.
How the Breach Was Detected
The breach was first reported by Okta customer BeyondTrust on October 2. BeyondTrust detected unauthorized access attempts to their Okta administrator account using a valid stolen session cookie found in a breached HAR file. Another impacted Okta customer, Cloudflare, discovered the hackers abused stolen API keys from an employee’s HAR file to improperly access some of its systems.
Recommended by LinkedIn
Risk of Third-party Breaches
This breach highlights the growing dangers of supply chain cyberattacks, which have become a prime vector for hackers. Research shows third-party breaches often incur higher costs than average attacks. Suppliers frequently have extensive access to customer networks, data, and applications. Once inside a vendor’s systems, attackers can leverage trusted access pathways to quietly move laterally and infiltrate downstream customers. Since this access originates from a legitimate third party, it can bypass security controls.
Why Modern Support Systems Are at Risk
The Okta breach underscores the immense risks involved with modern customer support systems, which handle extremely sensitive data, including:
Best Practices to Secure Support Systems
To prevent breaches involving customer support, leading practices include:
Way Forward After the Breach
The Okta customer support breach provides a sobering case study of how hackers are increasingly targeting trusted third-party access to infiltrate downstream customers. All companies must learn from this incident and take action to lock down their own customer support systems. Follow security best practices around encryption, access controls, activity monitoring, compliance audits, and seamless application integrations. With the right sensitive content communications platform, customer support teams can be equipped to provide great service without putting troves of confidential data at risk.
For more information on the Kiteworks-enabled Private Content Network and how Customer Support organizations can leverage it, click here.
Advisor - ISO/IEC 27001 and 27701 Lead Implementer - Named security expert to follow on LinkedIn in 2024 - MCNA - MITRE ATT&CK - LinkedIn Top Voice 2020 in Technology - All my content is sponsored
1yIt's another learning occasion. I think this should remind the long path toward security and privacy by default and by design that we need to achieve to even consider building trust with technoloyg. One of the avenues here would be to look toward "zero knowledge encryption", so as the content can't be exploited ever. HAR file was one of the main information leak leading to the larger impact. Sadly, we see the cloud eager to monetize all aspects of the collected data, but in fact, this is triggering way more damages than benefits.