Okta has issued a warning that its Customer Identity Cloud (CIC) feature is being targeted in credential stuffing attacks. These attacks began on April 15, 2024, and involve threat actors using stolen usernames and passwords to breach online accounts. The attacks specifically target endpoints utilizing CIC’s cross-origin authentication feature. Okta has identified and notified customers impacted by these attacks, providing guidance on securing their accounts.
Credential stuffing attacks involve large lists of stolen credentials, often obtained from data breaches or malware, to access accounts. Okta’s Customer Identity Cloud’s Cross-Origin Resource Sharing (CORS) feature, which allows JavaScript to send authentication calls to the Okta API, is vulnerable. Customers must grant access to URLs for cross-origin requests, making them potential targets if these URLs are not in use. Okta has advised customers to disable unused URLs to prevent further attacks.
To detect and mitigate these attacks, Okta recommends administrators check logs for specific events indicating credential stuffing attempts. If cross-origin authentication is not used but related events are present, it suggests targeting by credential stuffing attacks. Okta advises looking for abnormal spikes in such events if cross-origin authentication is in use. Additionally, customers should review logs from April 15 onwards, as this is when the suspicious activity started.
Okta has provided several mitigation strategies, including rotating compromised user credentials, implementing passwordless authentication, enforcing strong password policies, and enabling multi-factor authentication (MFA). Customers are also advised to disable cross-origin authentication if not used, remove unused permitted devices, restrict permitted origins, and enable breached password detection. For further assistance, customers can contact Okta’s Customer Support or participate in community forums.
