Okta support case-management system breach

On 20 October 2023, the identity provider Okta disclosed that an attacker had accessed its customer support case-management system using a stolen credential. Because that system stored HTTP Archive (HAR) files — diagnostic captures that can embed live session tokens and cookies — the breach gave the attacker the means to hijack legitimate Okta sessions of affected customers. Several of those customers, including 1Password, BeyondTrust and Cloudflare, detected and reported the activity before Okta confirmed it publicly.

What happened

To troubleshoot customer issues, Okta's support staff routinely ask customers to upload HAR files — recordings of browser traffic. These files are invaluable for reproducing errors but frequently contain session cookies and bearer tokens that, if stolen, allow an attacker to impersonate the authenticated user without needing a password or MFA.

The attacker accessed Okta's support case-management system using the credentials of a service account that had permission to view and update support cases. Between 28 September and 17 October 2023, they read support files — including HAR files — and extracted session tokens, which were used to hijack the Okta sessions of five customers.

Root cause

In its 3 November 2023 root-cause report, Okta concluded that an employee had signed into their personal Google account within the Chrome browser on an Okta-managed laptop. The service account's username and password had been saved into that personal Google account. The most likely exposure path was the compromise of the employee's personal Google account or personal device, from which the credential was harvested and reused against Okta's support system.

Impact

• Okta initially reported a small number of affected customers, then revised the total: 134 customers (less than 1% of its base) had files accessed.
• Session tokens from HAR files were used to hijack the sessions of 5 customers.
• 1Password reported suspicious activity on 29 September; BeyondTrust detected an attack on an Okta admin account on 2 October; Cloudflare detected token-based access to its Okta instance on 18 October. All three contained the activity without confirmed downstream compromise of customer data.
• Okta revoked the embedded session tokens, disabled the compromised service account, and tightened controls — including binding admin sessions to network location and disabling personal-account sign-in on managed devices.

Why it matters

The Okta support breach is a textbook case in supply-chain trust concentration: as an identity provider underpinning single sign-on for thousands of organizations, a compromise of Okta's own support tooling cascades directly into customer environments. It spotlighted two recurring failures — sensitive tokens lingering in diagnostic HAR files, and corporate credentials leaking through personal cloud accounts on managed devices. The incident drove broad adoption of HAR-file sanitization, shorter session-token lifetimes, administrator session binding, and stricter separation between corporate and personal identities on endpoints. It also reinforced that defenders frequently detect identity-provider compromises before the provider does — here, customers raised the alarm weeks ahead of public disclosure.