October Customer Support Security Incident - Update and Recommended Actions (2024)

Related Posts:Root Cause Analysis [RCA]- Nov 3, 2023 /Security Incident - Oct 20, 2023

In the wake of the security incident Okta disclosed in October 2023 affecting our customer support management system (also known as the Okta Help Center), Okta Security has continued to review our initial analysis shared on November 3, re-examining the actions that the threat actor performed. This included manually recreating reports the threat actor ran in the system and the files the threat actor downloaded.

Today we are sharing new information that potentially impacts the security of our customers.

We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.

The threat actor ran a report on September 28, 2023 at 15:06 UTC that contained the following fields for each user in Okta’s customer support system:

Created Date

Last Login

Full Name

Username

Email

Company Name

User Type

Address

[Date of] Last Password Change or Reset

Role: Name

Role: Description

Phone

Mobile

Time Zone

SAML Federation ID

The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address.

While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks. Okta customers sign-in to Okta’s customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).

Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users. While 94% of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security. Please refer to product documentation to enable MFA for the admin console (Classic or OIE).

How we discovered this

Following the publication of the RCA on November 3, Okta Security reviewed our initial analysis of the actions that the threat actor performed, including manually recreating the reports that the threat actor ran within the customer support system. We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users. The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report. Our November review identified that if the filters were removed from the templated report, the downloaded file was considerably larger - and more closely matched the size of the file download logged in our security telemetry.

We also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data.

We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion.

Implementing recommended best practices

We recommend all customers immediately take the following actions to defend against potential attacks that target their Okta administrators.

  • Multi-Factor Authentication (MFA): We strongly recommend all Okta customers secure admin access using MFA at a minimum. We also strongly encourage customers to enroll administrative users in phishing resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all administrative applications. Please refer to product documentation to enable MFA for the admin console (Classic or OIE).
  • Admin Session Binding: As communicated in the Security Incident RCA, customers can now enable an Early Access feature in Okta that requires admins to reauthenticate if their session is reused from an IP address with a different ASN (Autonomous System Number). Okta strongly recommends customers enable this feature to further secure admin sessions.
  • Admin Session Timeout: To align with NIST AAL3 guidelines and increase the security posture of every customer, Okta is introducing Admin Console timeouts that will be set to a default of 12-hour session duration and a 15-minute idle time. Customers will have the option to edit these settings. This will be available as an Early Access feature starting November 29th for preview orgs and December 4th for production orgs. The feature will be available for all production orgs by January 8th, 2024. An email was sent to all Super Admins regarding this change on November 27th, and a copy of that communication can be found in the Knowledge Base article: Admin Session Lifetime/Idle Timeout Security Enhancements.
  • Phishing Awareness: In addition, Okta customers should be vigilant of phishing attempts that target their employees and especially wary of social engineering attempts that target their IT Help Desks and related service providers. We recommend Okta customers implement our industry-leading, phishing-resistant methods for enrollment, authentication, and recovery. Please see Okta Solutions for Phishing Resistance for more information on protecting your organization from phishing. We also strongly recommend that customers review their IT Help Desk verification processes and ensure that appropriate checks, such as visual verification, are performed before performing high risk actions such as password or factor resets on privileged accounts.
October Customer Support Security Incident - Update and Recommended Actions (2024)

FAQs

How to respond to a security incident? ›

Effective Steps to Respond to a Security Incident:

Investigate and Identify: Gather evidence and analyze the cause of the incident. Notify Relevant Parties: Inform internal stakeholders and authorities as necessary. Recover and Learn: Restore systems, review the incident, and implement preventive measures.

What is the appropriate response to a security breach? ›

Perform urgent incident response actions

At this time, the person who discovered the breach must immediately notify the appropriate parties within the organization. Security officers should also restrict access to compromised information to prevent the further spread of leaked data.

Which of the following are security incidents that must be reported? ›

Examples of security incidents include: Computer system breach. Unauthorized access to, or use of, systems, software, or data. Unauthorized changes to systems, software, or data.

What action would you take in response to a security incident? ›

The security incident response process is centered on the preparation, detection and analysis, containment, investigation, eradication, recovery, and post incident activity surrounding such an incident.

What actions should you take after a security breach? ›

Here are six steps to take if your information is exposed in a data breach.
  • Stay Alert. ...
  • Secure Your Accounts. ...
  • Initiate a Fraud Alert. ...
  • Monitor Your Financial Accounts and Credit Reports. ...
  • Freeze or Lock Your Credit File. ...
  • Stay Vigilant to Signs of Scams.
Apr 8, 2024

How do you respond to a security breach in the workplace? ›

In general, a data breach response should follow four key steps: contain, assess, notify and review.

What actions should customers take after the breach? ›

7 Steps to take after your personal data is compromised online
  • Change your passwords. ...
  • Sign up for two-factor authentication. ...
  • Check for updates from the company. ...
  • Watch your accounts, check your credit reports. ...
  • Consider identity theft protection services. ...
  • Freeze your credit. ...
  • Go to IdentityTheft.gov.

What is the most common security incident? ›

Malware is the most common type of cyberattack, mostly because this term encompasses many subsets such as ransomware, trojans, spyware, viruses, worms, keyloggers, bots, cryptojacking, and any other type of malware attack that leverages software in a malicious way.

What is security incident response? ›

Incident response (sometimes called cybersecurity incident response) refers to an organization's processes and technologies for detecting and responding to cyberthreats, security breaches or cyberattacks. A formal incident response plan enables cybersecurity teams to limit or prevent damage.

What are the three types of security incidents? ›

The common security incident types we'll be discussing are: Unauthorized Access. Malware Infection. Distributed Denial of Service (DDoS) Attack.

How to respond to security incidents? ›

What are the 6 steps of incident response?
  1. Assemble your team. ...
  2. Detect and ascertain the source. ...
  3. Contain and recover. ...
  4. Assess damage and severity. ...
  5. Begin the notification process. ...
  6. Take actions to prevent the same type of incident in the future.
Sep 29, 2018

How do you communicate with a security incident? ›

Incident communication tips
  1. Communicate early. Quickly acknowledge the issue, briefly summarize the known impact, promise further updates and, if you're able, alleviate any concerns about security or data loss.
  2. Communicate often. ...
  3. Communicate precisely. ...
  4. Stay consistent across channels. ...
  5. Own the problem.

What is the most appropriate action that you should take when you encounter a data breach? ›

Contain the Cyber Breach

You should change all affected or vulnerable passwords immediately. Use a password manager and create new, strong passwords for each account, and refrain from reusing the same passwords on multiple accounts. That way, if a data breach happens again in the future, the damage may be limited.

How do you respond to a safety incident? ›

Here are the five steps to take after a safety incident occurs.
  1. Step 1: Get Medical Attention and Care Immediately. ...
  2. Step 2: File an Incident Report As Soon As Possible. ...
  3. Step 3: Inform All Necessary Parties. ...
  4. Step 4: Review of Safety Procedures. ...
  5. Step 5: Be Alert but Remain Courteous.

What are the 5 steps to incident response? ›

5 Steps to Creating an Incident Response Plan
  • Preparation and prevention.
  • Detection and analysis.
  • Containment, eradication, and recovery.
  • Post-incident activity.
Mar 20, 2024

What are the correct steps in order for responding to a security incident? ›

  • Step 1: Preparation. The goal of the preparation stage is to ensure that the organization can comprehensively respond to an incident at a moment's notice. ...
  • Step 2: Identification. ...
  • Step 3: Containment. ...
  • Step 4: Eradication. ...
  • Step 5: Recovery. ...
  • Step 6: Lessons Learned.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Rob Wisoky

Last Updated:

Views: 5241

Rating: 4.8 / 5 (48 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Rob Wisoky

Birthday: 1994-09-30

Address: 5789 Michel Vista, West Domenic, OR 80464-9452

Phone: +97313824072371

Job: Education Orchestrator

Hobby: Lockpicking, Crocheting, Baton twirling, Video gaming, Jogging, Whittling, Model building

Introduction: My name is Rob Wisoky, I am a smiling, helpful, encouraging, zealous, energetic, faithful, fantastic person who loves writing and wants to share my knowledge and understanding with you.