Okta Issues Warning on Credential Stuffing Attacks Targeting Cross-Origin Authentication Feature

Okta, a leading cybersecurity company specializing in identity and access management, has issued a warning about ongoing credential stuffing attacks targeting its Customer Identity Cloud (CIC) feature, particularly its cross-origin authentication. These attacks have been observed since April 15, 2024, affecting numerous customers.

Credential stuffing is a type of cyber attack where threat actors use large sets of usernames and passwords, typically obtained from previous data breaches or phishing campaigns, to gain unauthorized access to online services. Attackers automate this process, trying the stolen credentials across multiple websites until they find a match, which can lead to unauthorized access to sensitive information or enable fraudulent activities.

Details of the Attack

The attacks specifically target the endpoints supporting the cross-origin authentication feature in CIC. Okta’s Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted on a different domain. This functionality, while useful, is vulnerable to credential stuffing attacks if not properly secured.

Okta has noted that the endpoints used for cross-origin authentication have been attacked for several customers, starting on April 15. The company has proactively notified affected customers and provided guidance on mitigating and preventing these attacks.

Recommendations for Customers

Okta has provided detailed recommendations for customers to mitigate the impact of these attacks:

  1. Review Tenant Logs: Customers should review their tenant logs for signs of unexpected login events, such as:
    • FCOA: Failed cross-origin authentication
    • SCOA: Successful cross-origin authentication
    • PWD_LEAK: Login attempts using leaked passwords
  2. Rotate Credentials: Compromised credentials should be rotated immediately.
  3. Restrict or Disable Cross-Origin Authentication: Customers who do not need cross-origin authentication should disable it. Those who need it should restrict permitted origins.
  4. Enable Breached Password Detection or Credential Guard: These features can help detect and prevent the use of compromised credentials.
  5. Implement Passwordless Phishing-Resistant Authentication: Okta recommends using passkeys as a secure option.
  6. Enforce Strong Password Policies and MFA: Ensure that passwords are strong (minimum of 12 characters, no parts of the username) and enforce multi-factor authentication (MFA) to add an additional layer of security.

Background and Context

This is not the first time Okta has issued such a warning. In late April 2024, the company observed a surge in credential stuffing attacks facilitated by the widespread availability of residential proxy services and lists of previously compromised credentials. These attacks were largely automated and originated from similar infrastructure as those observed in the recent attacks.

Okta’s advisory highlights the growing sophistication and frequency of credential stuffing attacks, underscoring the importance of robust cybersecurity measures to protect against such threats. High-profile customers, including 23andMe, Roku, and Hot Topic, have all been victims of these types of attacks, emphasizing the need for proactive cybersecurity practices.

Conclusion

As credential stuffing attacks continue to pose a significant threat, Okta’s detailed guidance aims to help customers secure their accounts and mitigate the risks associated with these attacks. By following the recommended actions and implementing robust security measures, organizations can better protect themselves against unauthorized access and potential data breaches.