Okta, a prominent identity and access management service provider, has attributed a recent breach of its support system to an internal oversight where an employee accessed a personal Google account using a company-issued laptop, consequently compromising credentials and resulting in data theft from several Okta clients.

In an insightful post-mortem analysis, Okta’s Chief Security Officer, David Bradbury, pinpointed this internal misstep as the “most likely avenue” leading to the compromise, affecting hundreds of its clients, including cybersecurity firms BeyondTrust and Cloudflare.

Bradbury confirmed, “From September 28, 2023, to October 17, 2023, an unauthorized threat actor accessed files within Okta’s customer support system pertaining to 134 clients, which is less than 1% of our customer base. Among these files were HAR files comprising session tokens susceptible to session hijacking attacks.”

According to Bradbury, the intruder exploited these session tokens to commandeer legitimate sessions of five customers. The assailant capitalized on a service account embedded within the system, equipped with permissions to access and modify customer support cases.

During Okta’s inquiry into the unusual activity surrounding this account, it emerged that an employee had logged into their personal Google account via the Chrome browser on a company-supervised laptop, inadvertently saving the service account’s credentials into their personal Google profile. Bradbury commented, “The most plausible explanation for the exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

Bradbury acknowledged the oversight in Okta’s internal mechanisms in detecting the breach promptly. He elaborated, “For 14 days, while actively probing, Okta did not discern suspicious downloads in our logs.” He explained the nuances of the logging system and how the threat actor’s actions generated different log events that initially went unnoticed.

Bradbury disclosed that the investigation gained traction after BeyondTrust provided a suspicious IP address linked to the attacker. “This clue enabled us to detect additional file access events associated with the compromised account,” he explained.

Blocking the use of personal Google profiles with Google Chrome on Okta-managed devices, deploying additional detection and monitoring rules for its customer support system, and binding Okta administrator session tokens based on network location would have been smart things to do BEFORE the attack rather than after.

Okta has been a recurring target for several hacking collectives aiming to exploit its infrastructure to infiltrate other organizations. In a previous incident in September, Okta reported an elaborate hacking group targeting IT service desk staff to manipulate multi-factor authentication resets for high-privilege users within the targeted entity. Although Okta did not divulge details about the threat actor or its objectives, it noted the use of innovative lateral movement and defense evasion techniques.

More than $2 billion in market cap has been wiped out since the company acknowledged the hack Friday.