The Okta Hack story development continues…
On March 23rd, David Bradbury, CSO of Okta, issued a press release detailing a timeline of their incident response.
In summary, Okta utilizes third-party vendor Sitel for customer support inquiries. In late January, a support engineer’s account was supposedly accessed but the employee declined the MFA challenge. The Okta security team contained the user account and shared indicators of compromise with Sitel, who launched a forensics investigation through another third-party.
This investigation took over a month to complete, but Okta eventually received a summary report in mid-March, several days before LAPSU$ disclosed the screenshots recently.
David Bradbury explains that support engineers have limited access in order to fulfill their duties managing inbound support requests, including the use of Okta’s internal tools such as Jira, Splunk, Slack and an internal suite called “SuperUser” which does not actually have superuser access to Okta systems. He assures that support engineers are unable to modify users, download databases or access code repositories.
Okta’s own internal investigation reveals that the support engineer’s machine itself was accessed via RDP rather than the account being compromised. Mr. Bradbury in the release compares it to “a stranger [at a coffee shop] has (virtually in this case) sat down at your machine and is using the mouse and keyboard.”
Okta Security additionally states they have analyzed over 125,000 log entries in the past day and have estimated the maximum reach is 366 customers (or 2.5% of the Okta base). Okta will be furnishing these customers a copy of the forensic report to assist with their own internal investigations.