Okta Support System Breach (2023)
What is Okta Support System Breach (2023)?
Okta Support System Breach (2023)A September-October 2023 breach of Okta's customer support case management system that exposed HAR files containing session tokens for downstream customers.
In October 2023, identity provider Okta disclosed that attackers had used a service account to access its customer support case management system between late September and mid-October 2023. The intruder downloaded HAR (HTTP Archive) files uploaded by customers for troubleshooting; some HAR files contained valid session tokens. Attackers then reused those tokens to access downstream customer Okta tenants. Confirmed victims included 1Password, Cloudflare and BeyondTrust, all of whom detected and contained the activity. Okta later revealed the breach exposed contact information for all support customers. Mitigations include sanitizing HAR uploads, binding sessions to device posture and using phishing-resistant administrator MFA.
● Examples
- 01
A CISO learns from BeyondTrust that an Okta session token from a sanitized support case still allowed admin actions in their tenant.
- 02
An organization deploys automation to strip Authorization and cookie headers from HAR files before sending them to vendors.
● Frequently asked questions
What is Okta Support System Breach (2023)?
A September-October 2023 breach of Okta's customer support case management system that exposed HAR files containing session tokens for downstream customers. It belongs to the Vulnerabilities category of cybersecurity.
What does Okta Support System Breach (2023) mean?
A September-October 2023 breach of Okta's customer support case management system that exposed HAR files containing session tokens for downstream customers.
How does Okta Support System Breach (2023) work?
In October 2023, identity provider Okta disclosed that attackers had used a service account to access its customer support case management system between late September and mid-October 2023. The intruder downloaded HAR (HTTP Archive) files uploaded by customers for troubleshooting; some HAR files contained valid session tokens. Attackers then reused those tokens to access downstream customer Okta tenants. Confirmed victims included 1Password, Cloudflare and BeyondTrust, all of whom detected and contained the activity. Okta later revealed the breach exposed contact information for all support customers. Mitigations include sanitizing HAR uploads, binding sessions to device posture and using phishing-resistant administrator MFA.
How do you defend against Okta Support System Breach (2023)?
Defences for Okta Support System Breach (2023) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Okta Support System Breach (2023)?
Common alternative names include: Okta HAR breach.
● Related terms
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.