Okta October 2023 Security Incident Investigation Closure

Related Posts: Recommended Actions - Nov 29, 2023 / Root Cause Analysis [RCA] - Nov 3, 2023 / Security Incident - Oct 20, 2023

Stroz Friedberg, a leading cybersecurity forensics firm engaged by Okta, has concluded its independent investigation of the October 2023 security incident. The conclusions of Okta’s investigation have not changed, and Stroz Friedberg has confirmed there is no evidence of further malicious activity beyond what was previously determined by Okta. The October 2023 security incident forensic report is now available to our customers and partners. While this completes Okta’s investigation of this incident, putting security first will continue to be a top priority. We will communicate further advancements on our commitment to secure identity for the industry. 

As part of our response, we engaged with law enforcement, notified regulators, published indicators of compromise (IOCs), and provided a customized impact report to affected customers. Along with this report, we shared recommendations to help mitigate possible phishing and social engineering attacks.

Additionally, Okta has taken a number of steps to review and enhance the security of the Okta Help Center. We are also changing how and when access is provisioned to customer administrators as well as that system’s data retention policy.

While Okta’s production service was not impacted, we continue to strengthen our products and recommend configurations that make our customers more secure. We’ve recently announced features that allow customers to secure their administrative access in an Okta tenant, strengthen session security, and enhance location-based access controls, including:

• Zero Standing Privileges for Okta Admins: Ensure admin roles are requested, approved, and assigned to authorized users only for the duration that access is needed.
• MFA Required for Protected Actions in Admin Console: Provide an additional layer of protection for critical actions in Okta by requiring step-up authentication for admins to perform high-impact actions.
• In Dynamic Zones, Ability to Detect and Block Requests from Anonymizers to Okta Endpoints: Protect critical assets (e.g, Admin Console, App Dashboard, others) and allow request blocking from specified VPNs, anonymous proxies, and similar.
• Customers can now also apply IP binding to Okta products and Admin Console: Invalidate Okta sessions if the source IP changes during the session, which helps prevent session takeover. This is in addition to the initial remediation action for binding admin sessions.
• Enforce an Allowlisted Network Zone for APIs: Restrict attackers and malware from stealing SSWS tokens, and from replaying them outside of the specified IP range in order to gain unauthorized access.

Okta is committed to putting security first. We are continuing to invest in and deliver enhancements that secure customers, our products and services, and our corporate systems. While we have closed this investigation, our work is not done. In partnership with our customers and others, we know that together we can raise the bar for security practices in our industry. Look for more developments to be announced in the coming weeks.