Alert essentials:
Threat actors compromised Okta’s customer support system in early October, gaining unauthorized access to Okta’s system with stolen credentials. Immediately reset all Okta admin credentials and terminate active sessions.

Email Team

Detailed threat description:
On October 20, 2023, Okta released information of another intrusion on its customer support system. However, Beyond Trust detected an attacker trying to access an in-house administrator account with a valid Okta session cookie on October 2, which was allegedly reported.

1Password experienced an incident on October 18, and Cloudflare detected suspicious activity on their Okta instance on October 20th. Beyond Trust continued to follow up on their incident, and Okta admitted to the breach on October 20th.

Okta states the compromise affected 184 Okta customers, all of whom have been contacted.

If an organization uses Okta and has not been contacted about the breach, it is likely Okta doesn’t believe that the organization was impacted. As an extra precaution, resetting all Okta admin credentials and terming active sessions is recommended. Search for indicators of compromise and apply the recommendations below to harden the Okta surface.

It is currently unclear how the compromise at Okta will affect its clients. However, it is not uncommon for attackers to attempt social engineering attacks with an MFA bypass approach. Knowing the specific MFA solutions employed by individual clients may facilitate these types of attacks.

Affected Products / Versions
Specific versions have not been reported as impacted by this breach as it pertains to a compromise of Okta’s own network. Reportedly, information about Okta’s clients has been exposed.


  • No specific CVE’s are known at this time.


Engineering recommendations:

  • Enable multifactor authentication or 2-factor authentication on Okta and throughout the network
  • Immediately reset all Okta admin credentials and terminate active sessions
  • Check for third-party IDP federation configurations. Ensure each IDP is recognized, SAML certificates are intact (verify fingerprints), the JWKS endpoint is correct, and user JIT creation settings are unmodified.
  • Check for third-party IDP routing configurations. Ensure there is no modification to user inclusion groups, IP ranges, or device platforms.
  • Check for any new account creations performed via Admin API or Console. If any new account is created, ensure proper change management documentation is associated with them.
  • Check for new API key issuance for both existing accounts and new accounts
  • Check delegated authentication settings. This should remain off if you are not using an on-premises Active Directory or LDAP server.
  • Check for Okta support impersonation events in your event log. The event name is user.session.impersonation.initiate.
  • Add policy controls in Okta to restrict access to the admin console
  • Consider adjusting Okta’s global session policy to issue an MFA challenge at every sign-on, which will prevent attackers with a stolen cookie from accessing the main dashboard
  • Limit the length of Okta sessions and take other steps to reduce the window during which a stolen cookie can be used
  • Be aware that admin API actions authenticated via session cookie are only covered by the Global Session Policy, which is often less restrictive than other policies
  • Be aware that session hijacking allows attackers to bypass MFA
  • Require strong hardware MFA for all Okta admins to prevent token hijacking via attacker-in-the-middle phishing

Leadership / Program recommendations:

  • Restrict the use of highly privileged accounts
  • Apply dedicated access policies for administrative users and monitor and investigate anomalous use of functions reserved for privileged users
  • Implement and enforce least privilege permissions

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.