Okta Inc. shares tumbled after the identity verification company said that hackers used a stolen credential to access its support case management system.
Hackers were able to view some files uploaded by certain Okta customers as part of recent support cases, according to a Friday blog post by David Bradbury, Okta’s chief security officer. The company has revoked some session tokens as a result and has already notified all victims, Bradbury said.
About 184 customers, representing about 1% of the Okta’s total, were affected, according to a spokesperson. Okta shares fell 12% at the close on Friday in New York, its worst single-day decline since June 1.
The attack was previously reported by cybersecurity journalist Brian Krebs, who wrote that the intrusion appeared to have occurred at least two weeks before it was fully contained.
BeyondTrust, an identity management company, said in a blog post on Friday that it was among the customers affected by the October breach. The company said it first notified Okta of a possible intrusion in its systems on Oct. 2 but that it took until Oct. 19 for Okta to confirm it had been breached.
Marc Maiffret, BeyondTrust’s chief technology officer, told Bloomberg News it seemed to have taken Okta a bit of time to realize it had a breach despite his efforts to encourage the company to escalate his concerns. He said he was “extra feisty” during a Oct. 11 call with Okta, saying he pushed it to look into the claims.
In the blog, Maiffret said the company’s security teams initially detected an identity-based attack on an in-house Okta administrator account. The attack used a valid session cookie stolen from Okta’s support system, he said. The company “immediately detected and remediated the attack” using its own identity tools, Maiffret said, adding that there was no impact or exposure to BeyondTrust’s infrastructure or its customers.
Maiffret blamed “limitations in Okta’s security model” that he said allowed the hackers to perform “a few confined actions.”
Okta didn’t immediately reply to a request for comment about the claims made by BeyondTrust.
The breach follows an August warning from Okta that attackers were using social engineering tactics on its customers. In that instance, the attackers were attempting to trick IT service help desk staff to reset multifactor authentication for privileged users in order to gain broad access to company systems.
(Updates with additional details starting in third paragraph.)
