Summary Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers. In this case, we have proactively notified the customers we identified that have this feature enabled, and...

Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools. From March 18, 2024 through to April 16, 2024, Duo Security and Cisco Talos observed large-scale brute force attacks on multiple models of VPN devices. From April 19, 2024 through to April 26, 2024, Okta’s Identity...

In the modern digital landscape, where threats evolve and organizational perimeters extend into the cloud, maintaining a strong security posture requires more than static defense mechanisms. This is where the Continuous Access Evaluation Profile (CAEP) and the Shared Signals Framework (SSF) come into play. At the recent Gartner Identity & Access Management Summit in London , Apoorva Deshpande, Okta Engineering Lead, along with other OpenID Foundation SSF Working Group members, demonstrated...

Summary Okta has confirmed and remediated a reported Okta Verify vulnerability. No action is needed by customers, and outside of the original proof of concept Okta did not identify any evidence of attempts to exploit this vulnerability. As part of our recent Okta Secure Identity Commitment, we are communicating this remediation to customers in the spirit of transparency. Response On April 5th, Okta received a report from a researcher at Persistent Security of a potential vulnerability in...

Summary: The time and effort spent on defensive domain registration would be better invested in writing phishing-resistant authentication policies. Today I want to make the case that registering domains for the sole purpose of protecting against phishing is tackling the phishing problem from the wrong angle. It is, to use a very British idiom, a “mug’s game”: an effort that’s unlikely to yield much success. Most organizations register additional domains based on various permutations of their...

Privileged users have always been and should always expect to be under constant attack from motivated adversaries. Over the last 90 days, Okta has devoted many of our most skilled resources into a program of work that dramatically hardens the Okta Admin Console, resulting in a number of new features, a subset of which are listed below. New Feature Description Availability ASN Session Binding Okta automatically revokes an administrative session if the ASN (Autonomous System Number)...

Over the past few years we’ve observed a fundamental shift in the threat model for highly targeted organizations. Today, if an attacker can’t manage to steal user credentials for highly targeted organizations, they will pivot to instead stealing a user’s proof of authentication. Attackers will use malware to steal session tokens from a user’s browser after they sign in. They may similarly use transparent proxies to steal session tokens from a user’s browser after they sign in. And as Okta’s...

Related Posts: Recommended Actions - Nov 29, 2023 / Root Cause Analysis [RCA] - Nov 3, 2023 / Security Incident - Oct 20, 2023 Stroz Friedberg, a leading cybersecurity forensics firm engaged by Okta, has concluded its independent investigation of the October 2023 security incident. The conclusions of Okta’s investigation have not changed, and Stroz Friedberg has confirmed there is no evidence of further malicious activity beyond what was previously determined by Okta. The October 2023 security...