Exploring Okta’s Data Breaches and Customer Incidents
In the realm of cybersecurity, the topic of Identity Access Management (IAM) has been garnering attention, more so with the recent spate of security incidents involving Okta, a renowned player in the IAM space.
This analysis isn’t a critique of Okta, which has already faced its share of scrutiny, but rather an exploration to understand the unfolding events, highlight the importance of robust identity security controls, and discuss the broader implications on the industry. Through this lens, we aim to shed light on how we, as a collective industry, can bolster our defenses and advance IAM resilience.
Identity access management system Okta witnessed multiple security incidents from 2022 to 2023.
Below is a detailed delineation of these incidents.
Hacking Groups Targeting Okta and it’s Customers:
Lapsus$:
Lapsus$ is a notorious hacking group known for targeting high-profile companies and leaking sensitive data online. They employ tactics such as phishing and exploiting vulnerabilities in web applications.
Scattered Spider:
Scattered Spider, also known as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group.
An affiliate of ALPHV users (and speculated by some outlets to be a subgroup of ALPHV) made up primarily of British and American hackers, worked with ALPHV in its September 2023 ransomware attacks against MGM Resorts The hackers demanded a $30 million USD ransom from Caesars, which paid $15 million to the hackers. – Wikipedia
They use tactics like phone-based social engineering and smishing attacks to gain authentic credentials of victims to launch their attacks. The group mainly comprises Europeans and individuals from the US in their teens and 20s as of September 2023. They gained notoriety and made a name for themselves in the Dark Web when they hacked – Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States.
ALPHV:
ALPHV, also known as BlackCat or Noberus, a newly emerged hacking group, known for its stealthy operations and sophisticated attacks. Utilizing a Ransomware-as-a-Service (RaaS) model, the group primarily gains access to targets using stolen credentials, often sourced from initial access brokers. The ALPHV group has compromised numerous organizations, notably including Reddit in 2023.
Recent breaches involving Okta customers underscore the increasing relevance of this ransomware’s tactics. The focus on exploiting stolen credentials for initial entry points to Identity and Access Management (IAM) solutions.
Oktapus Phishing Campaign by Scattered Spider:
March 2022 – Ongoing
In March 2022, following the Lapsus$ breach, Okta users were targeted by a malicious phishing campaign dubbed “0ktapus,” orchestrated by a hacking group known as Scatter Swine.
The campaign saw the creation of phishing pages meticulously designed to mimic Okta login portals, leading to the compromise of nearly 10,000 Okta credentials.
This deceptive tactic posed significant risks to the affected organizations, with the campaign reportedly extending its malicious operations to over 130 organizations, particularly in tech and gaming sectors.
The 0ktapus phishing scam demonstrates the evolving threats within the digital ecosystem, highlighting the necessity for robust Identity Access Management (IAM) resilience to mitigate such cybersecurity risks.
Okta Data Breaches (2022-2023):
Lapsus$ Breach: January 2022
In January 2022, Okta fell victim to a breach by the hacking group Lapsus$.
The initial compromise occurred through a third-party support vendor, Sitel, and later escalated to a more significant breach within Okta’s environment.
Second Major Breach: August 2022
A few months later, Okta experienced a second major breach where source code was stolen from its GitHub repositories. This breach was reportedly not linked to customer data access, and Okta’s service remained secure.
Third Major Breach Breach: October 2023
In October 2023, another breach occurred when adversaries accessed Okta’s support case management system, which had a ripple effect on some of its customers like BeyondTrust, Cloudflare, and 1Password.
The breach was initially detected by BeyondTrust, and Okta confirmed it later. The compromised system contained HTTP Archive (HAR) files, potentially exposing sensitive data like cookies and session tokens.
Okta Customer Breaches and Attacks:
MGM Resorts:
MGM Resorts faced a cyberattack in September 2023, which was expected to cost the company more than $100 million. The attack led to the shutting down of some casino and hotel computer systems. Although the breach wasn’t directly linked to Okta in the sources, hackers exploited vulnerabilities in MGM’s Okta Agent to infiltrate the network.
Caesars:
Caesars fell victim to a cyber-attack in August 2023 due to a social engineering attack on an outsourced IT support vendor, leading to unauthorized network access and data exfiltration. Okta confirmed that Caesars was among the victims of a social engineering campaign during this period.
1Password:
In September 2023, 1Password reported a security incident after a breach at Okta, although no user data was stolen. 1Password uses Okta to manage employee-facing applications, and the breach at Okta’s support system had a ripple effect on 1Password’s environment.
BeyondTrust:
BeyondTrust played a pivotal role in detecting the October 2023 breach at Okta. They discovered a similar intrusion on their Okta environment and alerted Okta on October 2, 2023. Their proactive detection and alert helped in identifying and thwarting the threat actor before damages occurred.
The incidents highlighted in this section underscore the ripple effect that a security compromise in one part of the digital ecosystem can have across various entities, emphasizing the importance of collaborative security measures and immediate response mechanisms in minimizing potential damages.
How to Prevent Okta Breaches?
Gain Better Control Over Admin Changes
In order to protect your data going forward in advance of any future security breaches of Okta, the first thing you should do is implement a better alert system for admin changes.
It’s important that end users such as yourself have visibility into what changes were made and when in order to take control over the recovery process. Or, in the words of Muli Motola, Acsense CEO and co-founder.
“They [end users] need to have better control over admin changes into the system”
Motola continues, emphasizing the importance of continual monitoring:
“They need to monitor them. They need to alert them. They need to connect them to a SIEM. They need to have good alerts, if changed, on each change.”
There are two parts to the sandwich to make sure your data is secure.
One is to prevent access. The other is to ensure you have a good backup to the system in case of a breach. That backup should be segregated from the main system and should be able to recover small pieces in case of minor changes and a different tenant in case of a big disaster.
“A bit similar to what we knew from the past when we had multiple data centers that were able to recover in case of a disaster in one of them,” he said. “So it’s kind of a new era where SaaS also needs to be able to be recovered because cyber attacks are so abundant.”
Look at Your Business From a Disaster Recovery Perspective
Okta’s customer statistics say that, on average, a customer uses 155 applications annually.
That may seem like it would increase their vulnerability, but Muli says that’s not true because only a few of those are necessary for recovery. From a data perspective, 155 applications seems really big, but from a disaster and recovery perspective, things narrow down. Just like if your house were on fire, you’d have time to pick the five most important things to save to survive and start over.
That would look like your family, your pet, your passports, maybe. It probably wouldn’t include things like your refrigerator or other somewhat important things you collected throughout your life. In a breach, you’d do the same with your business.
“Some articles say that, in general, in order to bring the business back to life, you probably need something like 10% of your applications to go back to life,”
Businesses should write down the top 10 applications they need for their company to run and think of how that recovery process would go.
Protect Your Okta Data
One of the most crucial things businesses need to understand is that SaaS products do not come with disaster recovery capabilities.
Every company is responsible for its own data protection. Many people believe that major SaaS tools like Salesforce will be able to recover themselves, but it’s not true.
“It’s actually responsible for the resilience of the infrastructure, the security, the performance, scalability, et cetera, but not for the data and the configurations,” Motola said.
Even if you could export your data every day with all of the changes, that doesn’t mean you’d be able to return that data to the SaaS product in case of a breach. It doesn’t mean that the integrity of the data would match what was required by the database.
Also, it is part of the vendor’s responsibility to not touch your data or even see it as part of privacy and data protection rules.
“That means that data protection for the cloud is something that’s going to be a huge thing in the future because everybody understands that it’s their own responsibility,”.
Have an Okta Backup and Recovery Solution
If you don’t have a dedicated Okta disaster recovery platform, there are a couple of things you can do, but it won’t be a full-scale solution.
The best option is to use a company like Acsense (shameless plug!) that can provide disaster recovery for your identity access management system and bring you fully back online in the event that another Okta breach similar to the Okta breach from 2022 happens in the future.
“If you’re working in the cloud, not in a hybrid situation, when you have the ability to backup a server, you probably don’t have any cloud data backed up,”.
Google Drive and your email allow you to keep versions to recover, and even Salesforce can offer some recovery assistance if you ask them, but these don’t bring back everything you need.
“You do not have this capability for your SaaS infrastructure, which means the IT of your cloud environment, the identity management network management, all your ‘as a service’ tools probably don’t have backup capabilities,”.
“And for sure, they don’t have the ability to recover themselves in case you really lost access to the tenant,”.
Run Disaster Recovery Drills
For companies that want to be better prepared for the next breach, running disaster recovery drills is a good way to make sure you’ve thought through everything.
“What happens today with our customers is that they’re doing what we call DR drills,” Motola said.
The customers are taking a couple of hours where they act as if Okta is down.
An attacker has compromised it, and they have to fail the secondary system.
This type of drill requires critical thinking and answering necessary questions about their DR plan, including:
- What are my priorities for applications?
- Who am I bringing first?
- What am I telling my users?
- What is the risk for the organization?
- What am I doing with the other business applications in the meantime?
Motola also stresses the importance of using a secondary tenant:
“Having a secondary tenant to practice on allows you to actually think it over, doing an actual hands-on workshop and actual drill.”
Working through these drills can change your mindset about managing your cloud environment and the type of control you want to have over your data. You no longer think of calling support first thing and waiting for directions.
It becomes your own decision and process because protecting your data is up to you.
Take the Next Steps to Secure Your IAM Infrastructure
Schedule a demo with our experts to explore how Acsense’s IAM Resilience Platform can fortify your Okta system against threats and ensure your business continuity.
Don’t leave your IAM resilience to chance.
