November 6, 2023 Okta is blaming a recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop, exposing credentials that led to the theft of data from multiple Okta customers.

In a brief post-mortem, Okta security chief David Bradbury said the internal lapse was the “most likely avenue” for the breach that affected hundreds of Okta customers, including cybersecurity companies BeyondTrust and Cloudflare.

The threat actor gained unauthorized access to files inside Okta’s customer support system from September 28 to October 17, 2023. Some of these files contained session tokens that could be used for session hijacking attacks.

Bradbury said the threat actor was able to hijack the legitimate Okta sessions of five customers. The hackers leveraged a service account stored in the system itself that was granted permissions to view and update customer support cases.

Bradbury said the most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.

The employee had signed in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account.

Bradbury admitted to a failure of internal controls to spot the breach.

The sources for this piece include an article in SecurityWeek.