Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
Oct 24 17 tweets 5 min read Twitter logo Read on Twitter
Scrolly
Okta got hacked. Leading to impact for CloudFlare, 1Password, and BeyondTrust.

Here's everything we know about it:
Okta’s support system was compromised, allowing unauthorized access to sensitive files uploaded by customers.

Notably, Okta did not discover the breach themselves; it was independently detected by BeyondTrust and Cloudflare. Image
BeyondTrust detected an identity-centric attack on October 2, 2023, which led them to believe that Okta’s support system was compromised.

They alerted Okta, but it took until October 19 for Okta to confirm the breach. Image
Cloudflare discovered attacks traced back to Okta on October 18, 2023. They were able to contain the attack, ensuring no customer information or systems were impacted.

Cloudflare contacted Okta about the breach before Okta had notified them. Image
1Password has released an incident report that goes into a lot of detail about what they saw and how they responded. Image
I'm a bit concerned that a privileged member of 1Password staff's endpoint didn't have Yubikey enforced until post this incident.

And free version of Malwarebytes also doesn't instill a ton of confidence. Image
What led to the breach to begin with?

Speculation beyond "stolen credentials," but it all started on their support portal.

Okta support often requests customers to upload HTTP Archive (HAR) files for troubleshooting.

HAR files can contain sensitive info like session tokens. Image
Upon being notified of the incident, Okta revoked any of the embedded session tokens.

Okta also advised users to sanitize HAR files by removing sensitive data before sharing. Image
My opinion: This HAR file sanitization is not the burden of the customer.

Okta needs to have a better process here. Image
The breach primarily affected Okta’s support case management system.

Other systems, including the Okta service and the Auth0/CIC case management system, remain unaffected by this incident. Image
It is reported that 170 of Okta's customers were impacted as a way to downplay the impact.

But we know about 3 of them and they are CloudFlare, BeyondTrust, and 1Password - not a small impact even if many Okta customers weren't involved. Image
Okta has provided IoCs to help customers identify potential malicious activity.

This includes a list of IP addresses and user agents that might be associated with the malicious activities. Image
Remaining Questions - Who are the other companies impacted?

Did they respond as well as CloudFlare, BeyondTrust, and 1Password?
Want to stay on top of news like this?

Join over 5k pros who trust me to give them what they need to know every week in cybersecurity:

vulnu.mattjay.com
Sources: Beyond Trust Blog: beyondtrust.com/blog/entry/okt…
CloudFlare Blog - blog.cloudflare.com/how-cloudflare…
Okta announcement - sec.okta.com/harfiles

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Oct 6
🚨BREAKING: Genetics firm 23andMe confirms user data theft in a credential stuffing attack.

The hackers released 1 million lines of data targeting Ashkenazi Jews.
23andMe, a renowned U.S. biotech & genomics firm, offers genetic testing services.

A threat actor recently leaked data samples from the firm and is now selling 23andMe customer data packs. Image
TARGETED LEAK: The initial data leak was limited but deeply concerning.
The threat actor released 1 million lines of data specifically for Ashkenazi people.

This targeted attack raises serious questions about the motive behind the breach. Image
Read 12 tweets
Matt Johansen Profile picture
Sep 22
🧵: Everything We Know About the MGM and Caesar's Hacks

The Big Picture: Both casinos faced significant cyberattacks due to phishing employees' Okta accounts.
Vishing at MGM: The hack started with a vishing campaign. For those new to the term, vishing is "voice phishing"

Attackers posed as IT staff and got employees to reset passwords on critical systems.

This group has also been successful via SMS Image
MGM tried to counteract this by shutting down systems.

But, new info from ALPHV indicates that no ransomware was deployed before MGM's own teams took down their infrastructure.

They shut the doors, but the hackers were already inside. Image
Read 15 tweets
Matt Johansen Profile picture
Sep 12
🚨 Absolutely insane breach info out of Microsoft.

Now that the Storm-0558 flurry has slowed down I wanted to deep dive into what we know and what we don't. 👇
If you're completely new to the issue. The gist:

Threat actor (attributed to China) acquired a vital MSA signing key, breaching Exchange & Outlook accounts. Image
🔑 New Info from Sep 6th blog:

- Microsoft engineer's corporate account compromised via malware-infected machine

- Debugging server housed a crash dump with the MSA signing key - a result of a bug

- The key was exploited leveraging bugs in Azure AD SDK & Exchange vulnerability Image
Read 11 tweets
Matt Johansen Profile picture
Aug 24
🚨 Wow. Imagine waking up, and your entire company's online presence is erased.

Email. Domain. Documents. Databases. Gone

Poof.

Well, that's what happened to customers of two hosting providers this week. 👇
Danish hosting giants CloudNordic and AzeroCloud have been hit by a massive ransomware attack, resulting in a catastrophic loss of customer data.

This isn't just a hiccup; both companies suggest their customers find new providers.

(couldn't not include this hilarious stock img) Image
📅 Timeline: The incident began last Friday night, and fast forward to today, and the situation remains dire.

Despite their best efforts, the IT teams have only managed to bring back some servers, but here's the kicker - they're EMPTY! Image
Read 13 tweets
Matt Johansen Profile picture
Jul 27
🚨 Woah. An intentional backdoor discovered in encrypted radio comms used globally for over 25 years.

Buckle up!
The technology in question is a European radio standard called TETRA (Terrestrial Trunked Radio).

It's used in radios made by Motorola, Damm, Hytera, and others and is embedded in critical infrastructure like pipelines, railways, and the electric grid. Image
TETRA is also used in specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services.

This includes the C2000 system used by Dutch police, fire, ambulance, and the Ministry of Defense. 🚓🚑 Image
Read 17 tweets
Matt Johansen Profile picture
Jul 18
🔥 Thousands of container images on Docker Hub are leaking confidential secrets!

We've seen this a lot on GitHub repos, but it seems there is another growing way to accidentally publish private keys... Your container images.

Let's look at what's going on:
Docker Hub is a cloud-based repository where the Docker community stores, shares, and distributes Docker images.

These images are blueprints for deploying applications in Docker. Image
The German researchers from RWTH Aachen University analyzed 337,171 images from Docker Hub and thousands of private registries.

The shocking finding?

8.5% of these images contain sensitive data such as private keys and API secrets. 😱
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(