Okta Support: How HAR File Session Tokens Reached 1Password and Cloudflare

Incident summary

Okta is the identity provider used by thousands of enterprises to broker single sign-on, MFA, and lifecycle management across SaaS applications. Per Okta's November 3, 2023 root cause analysis, between September 28, 2023 and October 17, 2023 a threat actor accessed files inside Okta's customer support case management system using credentials saved in a service account.

The compromised support system held HAR (HTTP Archive) files that customers had uploaded to assist Okta support with troubleshooting. HAR files captured by browsers include session cookies and authentication headers in plaintext. Per Okta's report, the actor harvested session tokens from those files and used them to hijack live Okta admin sessions at five customers.

Three of the affected customers disclosed publicly. BeyondTrust detected an unauthorized session on October 2, 2023 and informed Okta, escalating multiple times before Okta confirmed the breach. 1Password disclosed on October 23, 2023 that it had detected suspicious activity on its Okta tenant on September 29, 2023. Cloudflare disclosed on October 20, 2023 that it was the fifth and final identified target.

Attack technique

MITRE ATT&CK maps the technique chain to T1078.004 (Valid Accounts: Cloud Accounts) for the initial Okta support credential, T1213 (Data from Information Repositories) for HAR file collection, T1539 (Steal Web Session Cookie) for token extraction, and T1550.004 (Use Alternate Authentication Material: Web Session Cookie) for session hijack against downstream customers.

Per Okta's RCA, the support service account credentials had been saved into a personal Google profile by an Okta employee. That personal profile was synchronized across the employee's devices, including a personal device. When the personal device was compromised, the saved credentials reached the actor. Okta did not initially detect the support system access because the actor used valid credentials within expected operational patterns.

BeyondTrust's October 20 disclosure noted that the compromise of its Okta administrator session followed an Okta support agent's request that BeyondTrust generate a HAR file on October 2, 2023. Within 30 minutes of the HAR file upload, the actor used the captured session token to access the BeyondTrust Okta administrator account. BeyondTrust's own zero trust controls blocked downstream lateral movement, limiting the impact.

Impact and consequences

Okta initially disclosed less than 1 percent of customer impact. Per the November 28, 2023 update, the final notified customer count reached 134, including all 18,400 of Okta's then-customers in the support system view per a follow-on disclosure. Okta's stock price fell approximately 11 percent on October 20, 2023, the day of the SEC 8-K filing.

BeyondTrust's public timeline embarrassed Okta's incident response. BeyondTrust escalated detection multiple times between October 2 and October 19, 2023, before Okta confirmed publicly. The pattern of customer-driven detection, similar to the Storm-0558 detection by State Department, raised industry questions about identity vendor self-monitoring capabilities.

Okta announced significant security enhancements through 2024 including the Secure Identity Commitment, a public framework of customer-facing identity controls. Okta also accelerated rollout of session-binding controls that link Okta admin sessions to specific browsers and devices, reducing the value of stolen session tokens.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

Lessons for defenders

Customer support data is production data. HAR files, screenshots, log archives, and database exports uploaded to support tickets often contain live secrets. Treat the support system as a production data store and apply equivalent access controls, audit logging, and customer-data-minimization workflows.

Sanitize HAR files before upload. HAR files captured by Chrome or Firefox include session cookies, authorization headers, and request bodies in plaintext. Tools including HAR Sanitizer remove sensitive fields. Vendor support workflows should require sanitized HAR files only.

Monitor identity provider admin session origin. The Okta admin session hijack was detected at BeyondTrust because BeyondTrust monitored Okta admin session source IPs and detected an unusual range. Network-binding controls and IP-allowlisting for IdP admin sessions defeat this entire class of session-replay attack.

Storage of high-privilege credentials in personal profiles is a tier-zero anti-pattern. The Okta support service account credentials reached the actor via a personal Google profile sync. Tier-zero credentials must reside only in approved password managers with no sync to personal devices.

Vendor-side incident detection capability is a procurement question. Multiple Okta customers detected this incident before Okta did. Procurement and vendor risk teams should ask vendors not just whether they have IDS, but whether the vendor's IDS detects misuse of vendor-internal systems by external actors using legitimate credentials.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

• /cybersecurity/careers/incident-responder
• /cybersecurity/careers/security-architect
• /cybersecurity/careers/soc-analyst

Related Decipher Files

• Okta Sitel Sub-Processor: Lapsus$ Reaches an Identity Provider via a Contractor
• MGM Resorts Scattered Spider: Social Engineering as a Weapons Platform

Frequently asked questions