Okta's 2023 support-system breach: when your IdP gets phished

What happened

In October 2023 Okta disclosed that an attacker accessed its customer support case management system using a stolen credential. Support cases often include HAR (HTTP Archive) files that customers upload to reproduce issues, and those files contained live session tokens. The attacker used them to pivot into a handful of Okta customers. Several customers, including 1Password, BeyondTrust, and Cloudflare, detected the suspicious activity and reported it, and Cloudflare's own controls contained it.

Root cause

Two failures combined. First, a service account credential was reportedly saved to a personal Google profile on a managed device, giving the attacker a way in. Second, the support system stored HAR files that still contained valid session tokens, so a read of support data became a set of usable credentials.

The identity lesson

Your identity provider, and the tooling around it, is the highest-value target you own. A breach of support infrastructure became an identity breach because session tokens were sitting in uploaded files. Tokens are bearer credentials: whoever holds one is the user until it expires.

How to defend

• Sanitize HAR files and any support uploads to strip cookies and tokens before storage.
• Bind sessions to a device or client where possible (token binding, DPoP) so a stolen token is useless elsewhere, and keep session lifetimes short.
• Treat admin and support tooling as tier-zero: phishing-resistant MFA, no shared or personal-profile credentials, and tight monitoring.
• Adopt continuous session evaluation so anomalous token use triggers revocation. This is core ITDR territory.

Related

News: Okta support-system breach. Vendors: ITDR, MFA. Glossary: session hijacking, account takeover.