Okta Discloses Support System Breach
On Friday, October 20, identity and access management firm Okta disclosed that stolen credentials were used to access the company’s support case management system. The intruder was able to view customer HTTP Archive (HAR) files that were uploaded as part of support cases. HAR files sometimes include cookies and session tokens, which bad actors can exploit to impersonate users. Okta has contacted and worked with all affected customers to revoke exposed session tokens.
Any organization outsourcing identity must establish a plan to detect compromise of the outsourced identity function. You must not rely solely on the service provider to detect compromise. Do not outsource identity management if you do not have a detection plan in place.
An important point to note is that this breach was discovered and reported to Okta by its customers and not by Okta itself. As we rely more and more on third-party providers for key services, we need to ensure our detection and incident response capabilities can deal with a breach in those third parties and that your security doesn’t stop with a list of security questions sent to the vendor as part of the initial engagement.
Ironic that Okta’s marketing tag line is “Everything starts with Identity” and they were compromised by a stolen identity credential. This incident is a good reason to check if your support systems or processes are using HTTP Archive files that may expose sensitive information or credentials.
When you're gathering data for a support ticket, be aware of sensitive data included in that data. Consider redacting, or better still not gathering in the first place, data they don't need, particularly sensitive data like session tokens/etc. Ask where your information is stored, for how long, and who can access it. Have conversations about what data you do and don't want to share with system admins and/or users before a ticket ever gets filed. Assist when needed to help only gather what's needed.