Rewterz Threat Update – Okta Denies Leaked Data on Dark Web Forum Being from Its Systems

Severity

High

Analysis Summary

Okta has recently denied that its company’s data was leaked after a hacker published files on a dark web forum, claiming that they were stolen during the October 2023 cyberattack on Okta’s systems.

In October 2023, the cloud identity and access management solutions provider issued a warning that its support system was breached by attackers using stolen credentials, which allows the threat actors to steal the authentication and cookies of some customers. The incident highly increased the risk of breaches for many Okta customers, one notable case being a later compromise of one of Cloudflare’s Atlassian servers that was self-hosted in which the attackers used stolen access tokens during the Okta breach.

On Saturday, a threat actor on a dark web leaks forum claimed to have leaked an Okta database with data of 3,800 users that was stolen during the massive breach last year. The leaked data contains full names, company names, user IDs, phone numbers, office addresses, email addresses, roles, positions, and other information.

Today, the company announced that the data seems to be from public information available on the internet and doesn’t belong to them, nor is it linked to the October 2023 security breach. A spokesperson from Okta said that it is not possible to determine the source of the data or its legitimacy currently, but it is noticeable that some of the fields are dated over a decade ago. The company also reassured that its security team has thoroughly investigated all its systems and found no evidence of a breach.

A cybersecurity company also checked the leaked data and concluded that the data does not belong to Okta, but it is possible to be from a different company that was breached in July. The analysis of the data confirms it to be the same data dump made in July 2023 by a threat actor who claimed to have stolen it from the National Defense Information Sharing and Analysis Center.

Impact

• Information Exposure
• Sensitive Data Theft

Remediation

• Implement multi-factor authentication to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Prohibit password sharing and do not use the same password for multiple platforms, servers, or networks.
• Restrict installation of untrusted 3rd party applications.