Okta, a leading identity and access management provider, has issued a warning regarding targeted credential stuffing attacks on its Customer Identity Cloud (CIC) feature. Since April 15, 2024, numerous customers have been affected by these attacks, which exploit the cross-origin authentication feature within the CIC. Credential stuffing involves using large lists of stolen usernames and passwords to breach online accounts, posing a significant security risk to affected users.
Okta’s cross-origin authentication feature, part of its Cross-Origin Resource Sharing (CORS) functionality, allows web applications to interact with the Okta API for secure authentication. However, this feature has become a focal point for cybercriminals, prompting Okta to issue guidance for detecting and mitigating these attacks.
Why it matters: The surge in credential stuffing attacks targeting Okta’s Customer Identity Cloud (CIC) is yet another example of the swiftly evolving tactics employed by cybercriminals. With secure identity management playing a critical role in preventing unauthorized access and protecting sensitive data, organizations are increasingly prioritizing efforts to ensure the integrity of authentication processes.
- Mitigation Strategies: Okta recommends several mitigations, including rotating compromised user credentials, implementing passwordless authentication, enforcing strong password policies, and disabling unused cross-origin authentication features. Restricting permitted origins for cross-origin requests and enabling breached password detection is also suggested.
- Detection Recommendations: Okta advises administrators to monitor tenant logs for specific events such as ‘fcoa’ (failed cross-origin authentication), ‘scoa’ (successful cross-origin authentication), and ‘pwd_leak’ (attempts to log in with leaked passwords). Abnormal spikes in these events may indicate an attack.
- Long-term Defense: To bolster defenses against credential stuffing, Okta advises organizations to adopt phishing-resistant authentication methods such as passkeys and to enforce multi-factor authentication (MFA). Regular monitoring and proactive security measures are crucial for mitigating these threats.
- Historical Context: Okta has faced significant breaches in recent years. In 2022, the company was compromised by the LAPSUS$ hacking group through a third-party vendor, exposing customer support data. In 2023, a breach in Okta’s support case management system affected nearly 200 of its clients, highlighting the ongoing challenges in securing cloud-based identity management solutions
Okta Warns of Credential Stuffing Attacks Targeting Customer Identity Cloud – The Hacker News
Okta Warns Once Again of Credential-Stuffing Attacks – Dark Reading