Credential theft
Okta Security / BeyondTrust / BleepingComputer
Primary Source βIncident Details
Threat actor accessed Okta customer support case management system Sept 28 - Oct 17 2023 using credentials stolen from an employee’s personal Google account. 134 Okta customers affected (<1%). Stolen HAR files contained session tokens used for session hijacking against 5 customers including BeyondTrust, Cloudflare, and 1Password. Session tokens from support HAR files enabled account takeover. Okta’s disclosure came after customers independently detected attacks.
Technical Details
- Initial Attack Vector
- CWE-522: Insufficiently Protected Credentials (employee personal Google account compromise exposing corporate credentials)
- Vendor / Product
- Okta Customer Support System
Timeline
- 2023-09-28 Breach occurred
- 2023-10-20 Publicly disclosed
- 2023-10-20 Customers notified