Security Teams Need to Investigate the Okta Breach Themselves

Trust, but verify. While organizations wait for official alerts and notifications from Okta, security teams should also begin their own investigations to determine whether they have been exposed.

For companies that rely on Okta for identity management or have Okta as part of their authentication stack, the latest report regarding an Okta breach is extremely disconcerting. Despite Okta’s assurances that it was a “relatively minor” event (per Okta CSO David Bradbury) and that there are no corrective actions customers need to take, security teams at organizations using Okta should engage in their own incident response exercise to verify whether they have been exposed.

Since a Cloudflare employee’s email address was included in the screenshots posted by the attack group claiming a breach, the Internet infrastructure company’s internal Security Incident Response Team launched an investigation, Cloudflare said in a blog post. The post details all the actions Cloudflare took to investigate, and it can be a helpful guide for any organizations trying to determine how they should proceed with the news of this breach.

Cloudflare’s SIRT checked the logs and found there were no relevant audit log events, such as password changes, associated with the employee whose email address was exposed, Cloudflare CTO John Graham-Cumming wrote, along with Lucas Ferreira, Cloudflare’s security operations engineering manager; and Daniel Stinson-Diess, a security engineer for detection and response. Access for that employee was temporarily suspended.

According to the blog post, Cloudflare uses Okta internally to manage employee identities but not for any customer-related accounts. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *