Potential Phishing Attacks Related to Okta Customer Support System

IMPACT: Firms using Okta Security products: Okta Workforce Identity Cloud and Customer Identity Solution

Firms should review this information with their information technology personnel and any vendors or 3rd parties to assess the risk associated with the Okta data breach.

FINRA’s Cyber and Analytics Unit (CAU) is highlighting an Okta data breach spanning from September 28 to October 17, 2023 that impacts Okta customer support system users.  Okta reported that threat actors downloaded names and email addresses, along with other relevant metadata, of their customer support system users. The information could be leveraged in phishing or other social engineering attacks and potentially lead to the targeting of firm personnel in an Okta administrator or customer support role. 

In Okta’s initial reporting, the threat actor leveraged session tokens and hijacked the service account, which potentially allowed actors to view and update Okta customer support cases. New analysis by Okta revealed an impact to nearly all Okta customer support system users, some of which are also administrators. However, Okta was not aware of the compromised data being actively exploited as of late November.

Credentials and other identifying information exposed in the Okta breach may be leveraged by threat actors to conduct social engineering attacks. For example, a recent FINRA alert described an ongoing phishing and social engineering campaign exploiting leaked credentials targeting IT help desk personnel. 

Firms should immediately determine whether they or their vendors utilize Okta, and evaluate their exposure. FINRA is highlighting the following effective practices:

• Reviewing the indicators of compromise and remediation steps shared by Okta. 
• Increasing employee awareness of the threats posed by phishing and social engineering.
• Monitoring for leaked employee credentials.
• Examining vendors and stay up to date on vendor-related incidents. 
• Leveraging the FINRA Small Firm Checklist to identify and monitor vendor and third-party risks.
• Reviewing FINRA’s Cyber Security Advisory on Effective Practices for Responding to a Cyber Incident, and consider reporting key findings to government agencies and your assigned FINRA Risk Monitoring Analyst.

Contact FINRA’s CAU with questions related to this Alert or other cybersecurity-related topics. The FBI and CISA urge you to promptly report cybersecurity incidents to a local FBI Field Office (and the FBI Internet Crime Complaint Center (IC3) at IC3.gov), or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). Regulatory tips related to cybersecurity should also be filed with FINRA.

Note: If you would like to add or change recipients of this email, please update your firm’s Chief Information Security Officer (CISO) and/or Chief Compliance Office (CCO) contacts in FINRA Gateway.