{"id":3819,"date":"2024-05-30T10:43:41","date_gmt":"2024-05-30T15:43:41","guid":{"rendered":"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/okta-warns-once-again-of-credential-stuffing-attacks"},"modified":"2024-05-30T10:43:41","modified_gmt":"2024-05-30T15:43:41","slug":"okta-warns-once-again-of-credential-stuffing-attacks","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/30\/okta-warns-once-again-of-credential-stuffing-attacks\/","title":{"rendered":"Okta Warns Once Again of Credential-Stuffing Attacks"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

For the second time in just more than a month, identity management service provider <\/span>Okta<\/a><\/span> is warning of <\/span>credential-stuffing attacks<\/a><\/span>, this time against the cross-origin authentication feature of its Customer Identity Cloud (CIC) authentication offering.<\/span><\/p>\n

The “suspicious activity” started on April 15, when Okta observed that the endpoints used to support CIC’s cross-origin authentication feature first being attacked for “a number of our customers,” according to <\/span>a warning<\/a><\/span> posted on the company’s website earlier this week.<\/span><\/p>\n

Credential-stuffing attacks occur when adversaries attempt to sign in to online services using large lists of usernames and passwords, likely obtained from previous data breaches, phishing, or malware campaigns.<\/span><\/p>\n

Late last month, Okta <\/span>also warned<\/a><\/span> of a rash of similar attacks against its service around the same time frame; those attacks were made largely through an anonymizing device such as Tor or routed through various residential proxies such as NSOCKS, Luminati, and Datalmpulse.<\/span><\/p>\n

Okta has “proactively” informed customers with the cross-origin authentication feature enabled of the attacks and provided detailed guidance for mitigation and prevention.<\/span><\/p>\n

Identifying a Cyberattack on CORS<\/h2>\n

The cross-origin authentication is part of Okta’s Cross-Origin Resource Sharing (CORS) feature, which allows a webpage to make an Ajax call using XML requests, so customers can enable JavaScript running on a browser client to interact with resources from a different origin.  <\/span><\/p>\n

“Such cross-domain requests would otherwise be forbidden by Web browsers as indicated by the same origin security policy,” according to an <\/span>Okta developer resource page<\/a><\/span>. “CORS defines a standardized way in which the browser and the server can interact to determine whether to allow the cross-origin request.”<\/span><\/p>\n

Okta customers using CORS should review the following events in their tenant logs to determine if they were targeted: “FCOA,” or failed cross-origin authentication; “SCOA,” or successful cross-origin authentication; and “pwd_leak,” or someone attempting to log in with a leaked password.<\/span><\/p>\n

Even if a customer’s tenant does not use cross-origin authentication but SCOA or FCOA events are present in the event logs, it’s still likely that the tenant has been targeted, according to Okta.<\/span><\/p>\n

Further, if a tenant using cross-origin authentication either saw a spike of SCOA events in April or an increase in the ratio of failure-to-success events \u2014 that is, FCOA\/SCOA \u2014 then it also is likely the tenant was targeted.<\/span><\/p>\n

Customers at risk of the attacks also can restrict permitted origins and enable breached password detection for affected tenants.<\/span><\/p>\n

Further Defense Against Credential-Stuffing<\/h2>\n

Given that credential-stuffing attacks are becoming a recurring issue for Okta customers \u2014 among myriad other organizations \u2014the company also provided guidance for long-term defense to prevent them from occurring. Indeed, high-profile customers such as <\/span>23andMe<\/a><\/span>, <\/span>Roku<\/a><\/span>, and <\/span>Hot Topic<\/a><\/span> apparel brand have all been victims of these types of attacks.<\/span><\/p>\n

To prevent them, organizations should enroll users “in passwordless, phishing-resistant authentication,” according to Okta, which also suggested that <\/span>passkeys<\/a><\/span> are the “most secure option.”<\/span><\/p>\n

If an organization continues to use passwords, administrators should prevent users from choosing weak passwords, requiring them to choose a “minimum of 12 characters and |no parts of the user name,” according to Okta. Multifactor authentication (MFA) also can help prevent credential-stuffing attacks from being successful; in fact, Roku mandated this defense after its high-profile attack.<\/span><\/p>\n

Further, Okta tenants not using cross-origin authentication can disable endpoints to eliminate the attack vector entirely, Okta said. And obviously, the company noted, any passwords compromised in a credential-stuffing attack should be changed immediately.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

For the second time in just more than a month,<\/p>\n","protected":false},"author":12,"featured_media":3820,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3819","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?fit=2560%2C1706&ssl=1",2560,1706,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?fit=640%2C427&ssl=1",640,427,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?fit=640%2C427&ssl=1",640,427,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?fit=1536%2C1024&ssl=1",1536,1024,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?fit=2048%2C1365&ssl=1",2048,1365,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?fit=1024%2C683&ssl=1",1024,683,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/okta-warns-once-again-of-credential-stuffing-attacks-scaled.jpg?fit=2560%2C1706&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3819"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3819\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3820"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}