Threat Advisory: Okta Compromise

News came to light recently from a threat actor group that authentication provider Okta had been compromised by one of their members. 

Okta later confirmed this, saying that an account of one of their customer support engineers had been accessed. Okta reported that after investigation it appears that 2.5% of their users were affected whose data may have been impacted or acted upon. While Okta has said they have already identified and reached out to those customers who were affected, it further amplifies the focus that malicious actors have on cyber supply chains. 

If you're concerned about your environment in light of this incident, our engineering team has put together a list of recommendations that can help keep you more secure: 

• Enable Multi Factor Authentication (MFA) for all user accounts. Depending on passwords alone do not offer the necessary level of protection against attacks.
• We strongly recommend the usage of hard keys, as other methods of MFA can be vulnerable to phishing attacks.
• Investigate and respond:
  • Check all passwords and any MFA changes for your Okta instances.
  • Pay special attention to support initiated events.
  • Make sure all password resets are valid or just assume they are all under suspicion and force a new password reset.
  • During your investigation if you find any suspicious MFA-related events, make sure only the valid MFA keys are present in the user's account configuration.
  • Implement other security layers to provide extra security defenses in case one of them fails.