Okta says a single employee using a personal device and email account was to blame for its hack

Someone used a business laptop for private matters

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Okta has concluded its investigation into itsrecent data breach incident, concluding that it was - most likely - due to an employee storing their login credentials into their privateGoogleprofile in the Chromebrowserand then logging in on a companyendpoint.

In anannouncementpublished on the Okta website, the company’s Chief Security Officer David Bradbury said the threat actor abused a service account that was stored in Okta’s system.

This account had permission to view and update customer support cases.

A handful of victims

“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop," Bradbury revealed. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

In October, unidentified hackers broke into Okta’s customer support system, which gave them access to, among other things, client session cookies. With the help of these cookies, the attackers were able to bypass login screens and even multi-factor authentication (MFA) requirements.

The attack was first spotted by security experts from BeyondTrust, who were called in by one of their clients to inspect a hacking attempt that happened soon after an admin shared a browser recording session with Okta.

In total, Bradbury further explained, 134 Okta customers were affected by this incident, which is less than 1% of its entire user base. Of those 134, the attackers managed to use cookies to hijack legitimate Okta sessions in five instances, three of whom reported back to Okta.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To address the problem, Okta released session token binding based on network location, Bradbury concluded. “Okta administrators are now forced to re-authenticate if we detect a network change. This feature can be enabled by customers in the early access section of the Okta admin portal.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time