Okta access token breach
Okta access token breach
24 October
Summary
1Password confirmed that there has been suspicious activity in their Okta ID management tenant. 1Password confirms after investigation that no 1Password user data was accessed. The same is applicable to Cloudfare and Beyondtrust as both stated that no customer data was stolen.
The malicious behavior was seen on 29 September, it was directed to the employee facing apps. The access was gained by the use of stolen credentials disclosed by Okta.
However there was data retrievable from the support case management system, files that have been uploaded were visible. Okta has informed customers that have been impacted by the breach. The data that was retrievable were HTTP Archive files, these contain sensitive data like: cookie and session tokens, this can then be used by attackers to impersonate valid users.
Security recommendations
Okta recommends sanitizing all credentials and cookies/sessions tokens within a HAR file before sharing. In case of doubt we recommend to perform a reset in case a HAR file has been shared with Okta support.
More information can be found here.
Okta has also provided a list of IoC’s:
IP Addresses:
23.105.182.19
104.251.211.122
202.59.10.100
162.210.194.35 (BROWSEC VPN)
198.16.66.124 (BROWSEC VPN)
198.16.66.156 (BROWSEC VPN)
198.16.70.28 (BROWSEC VPN)
198.16.74.203 (BROWSEC VPN)
198.16.74.204 (BROWSEC VPN)
198.16.74.205 (BROWSEC VPN)
198.98.49.203 (BROWSEC VPN)
2.56.164.52 (NEXUS PROXY)
207.244.71.82 (BROWSEC VPN)
207.244.71.84 (BROWSEC VPN)
207.244.89.161 (BROWSEC VPN)
207.244.89.162 (BROWSEC VPN)
23.106.249.52 (BROWSEC VPN)
23.106.56.11 (BROWSEC VPN)
23.106.56.21 (BROWSEC VPN)
23.106.56.36 (BROWSEC VPN)
23.106.56.37 (BROWSEC VPN)
23.106.56.38 (BROWSEC VPN)
23.106.56.54 (BROWSEC VPN)
User-Agents:
While the following user-agents are legitimate, they may be rare in your environment given the release of Chrome 99 in March 2022.
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36 (Legitimate, but older user-agent)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.83 Safari/537.36 (Legitimate, but older user-agent)