How Cloudflare mitigated yet another Okta compromise
Authors: Sourov Zaman, Lucas Ferreira, Kimberly Hall, Grant Bourzikas
Overview
On October 18, 2023, Cloudflare’s Security Incident Response Team discovered attacks traceable to an Okta compromise. Threat actors leveraged a compromised authentication token from Okta to attempt access to Cloudflare’s instance. The company emphasized that “no Cloudflare customer information or systems were impacted” due to swift detection and response measures.
This represents the second time Cloudflare has been affected by an Okta breach. A previous incident occurred in March 2022, where Cloudflare’s use of hardware keys for multi-factor authentication prevented unauthorized system access.
Detection and Response
The attacker accessed an Okta administrative session and compromised two separate Cloudflare employee accounts. The company detected this activity more than 24 hours before Okta notified them. Cloudflare’s Zero Trust architecture, combined with Gateway and Data Loss Prevention tools, enabled rapid containment before the attacker could establish persistence or access production networks.
According to Okta’s statement, threat actors accessed Okta’s customer support system. The specific attack involved hijacking a session token extracted from a support ticket created by a Cloudflare employee on October 18.
Recommendations for Okta
Cloudflare urged Okta to implement several best practices:
- Respond immediately to breach reports (Okta was notified of compromise on October 2 but attackers retained access until at least October 18)
- Provide timely, responsible disclosures to affected customers
- Require hardware keys for all systems, including third-party support providers
Recommendations for Okta Customers
For organizations using Okta, Cloudflare advised:
Enable protections:
- Implement hardware MFA for all user accounts
- Deploy Hardware keys rather than relying on passwords alone
Investigate and respond to:
- Unexpected password and MFA changes
- Suspicious support-initiated events
- Invalid password resets
- Suspicious MFA-related activity
Monitor for:
- Newly created Okta users
- Reactivated user accounts
- Session authentication validity
- Account and permission changes
- MFA policy overrides and removals
- Sensitive application delegation
- Supply chain provider access
Additional measures:
- Review session expiration policies to limit hijacking attacks
- Utilize device posture validation tools like Cloudflare Access Device Posture Check
- Implement defense-in-depth detection strategies
Cloudflare’s security teams committed to monitoring the situation and publishing updates if Okta disclosed additional information or log analysis revealed further details.