- Okta has identified a credential stuffing attack exploiting cross-origin authentication in its Customer Identity Cloud.
- Customers are advised to disable unused cross-origin features and monitor logs for suspicious activities.
- Implementing multi-factor authentication and regularly updating passwords are recommended to enhance security.
Okta, a leading company in identity and access management, has issued an urgent warning to its customers about a significant cyber threat.
The company revealed that its Customer Identity Cloud (CIC) is currently under attack from cybercriminals using a technique called credential stuffing.
This attack has been ongoing for several weeks, prompting Okta to recommend immediate action to enhance security.
Credential stuffing is a type of cyberattack where hackers use automated tools to try countless username and password combinations on a login page.
These credentials are usually stolen from previous data breaches and are then used to gain unauthorized access to different accounts.
In this case, the attackers are exploiting a specific feature in Okta’s CIC, known as cross-origin authentication, to carry out their attacks.
Cross-origin resource sharing (CORS) is a security mechanism that allows web applications running on one domain to request resources from another domain.
This is commonly used to enable functionality like embedding services from different websites. However, if not properly secured, it can become a vector for cyberattacks.
Okta’s Response and Recommendations
Okta has acknowledged that the cross-origin authentication feature in its CIC is vulnerable to these credential-stuffing attacks.
The company has been monitoring this situation closely and has issued a set of recommendations to help customers protect themselves.
Firstly, Okta suggests that customers who do not actively use cross-origin authentication should disable this feature immediately. This simple step can prevent potential attacks by eliminating the vulnerability.
For those who need to keep the feature enabled, Okta advises implementing several security measures.
These include carefully managing and restricting the URLs that are allowed to make cross-origin requests. Only trusted and necessary URLs should be granted this access to minimize the risk.
Identifying Potential Attacks
Customers concerned about whether their systems have already been targeted can check their logs for specific events. Okta has identified “fcoa,” “scoa,” and “pwd_leak” as indicators of cross-origin authentication and login attempts.
If these events appear in the logs, especially for tenants not using cross-origin authentication, it could signal that a credential-stuffing attack has been attempted.
In addition to disabling unused features and monitoring logs, Okta recommends a few more proactive steps. Implementing multi-factor authentication (MFA) is a critical measure that can significantly reduce the risk of unauthorized access.
MFA requires users to provide two or more verification factors, making it much harder for attackers to gain entry even if they have the correct password.
Regularly updating and rotating passwords is another essential practice. Users should avoid reusing passwords across multiple sites, as this increases the risk if one account is compromised.
Okta’s Commitment to Security
Okta’s prompt response to this threat underscores its commitment to customer security. The company has reassured customers that it continuously monitors for suspicious activity and provides timely notifications to help them stay protected.
As cyber threats continue to evolve, staying informed and taking proactive security measures is crucial. By following Okta’s recommendations and remaining vigilant, customers can enhance their defenses against these damaging attacks.
For those looking for more detailed guidance, Okta encourages customers to visit their support page or contact their security team directly.
