Detecting Cross-Origin Authentication Credential Stuffing Attacks

Okta

Summary

Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers. In this case, we have proactively notified the customers we identified that have this feature enabled, and provided additional guidance in a customer email.

For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers. In this type of attack, adversaries attempt to sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches or unrelated entities, or from phishing or malware campaigns.

This post will assist you with investigating credential-stuffing attacks, as well as provide guidance in the “Recommended Actions” below.

Suspicious Activity Period

We have observed suspicious activity that started on April 15. Please note that this may not be continuous for every tenant, we recommend reviewing suspicious activity from that date forward.

Log Events to Review:

  • fcoa - Failed cross-origin authentication
  • scoa - Successful cross-origin authentication
  • pwd_leak - Someone attempted to login with a leaked password

Recommended Actions

Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. Refer to the Log Event Type Codes for more information.

If your tenant does not use cross-origin authentication, but `scoa` or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack. 

If your tenant does use cross-origin authentication and either saw a spike of `scoa` events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack.

If a user password was compromised in a credential stuffing attack, the user’s credentials should be rotated immediately out of an abundance of caution.

Protecting your Tenant from Credential Stuffing Activity

Below are our recommendations on how to best protect your users from credential-stuffing attacks.

Longer-term solution:

Enroll users in passwordless, phishing resistant authentication. We recommend the use of passkeys as the most secure option. Passkeys are included on all Auth0 plans from our free plan through Enterprise.

Medium-term mitigations:

Prevent users from choosing weak passwords. Require a minimum of 12 characters and no parts of the user name. Block passwords found in the Common Password List. This can be done in the password policy.

Require -Factor Authentication. Auth0 offers a variety of MFA options available on our B2C Professional, B2B Essentials, B2B Professional, Startup, and Enterprise plans.

Short-term mitigations:

  • For any tenant that does not use cross-origin authentication, that endpoint can be disabled in the Auth0 Management Console to eliminate this attack vector. Refer to Configure Cross-Origin Resource Sharing for more information.
  • Restrict permitted origins if cross-origin authentication is required.
  • Enable breached password detection for your tenant, or ideally Credential Guard if it is supported in your current plan.
    • Breached password detection is available on our B2C Professional, B2B Professional, Startup, and Enterprise plans.
    • Credential Guard is available as an add-on through an Enterprise plan.

If you have an account with support available and need more information, you can reach out to Customer Support, and if you are on a free plan you can reach us via the Community. For details on features and availability per plan, please visit our pricing page.

Okta