Identity and access management solutions provider Okta is warning customers of credential stuffing attacks targeting the Customer Identity Cloud’s cross-origin authentication feature.
According to Okta, since April 15, threat actors have been using username and password combinations potentially obtained from phishing, malware attacks, or previous data breaches in attempts to compromise some of its customers’ tenants.
“Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks,” the company warned.
According to Okta, customers should review the logs for every tenant to identify any suspicious activity, including failed cross-origin authentication (fcoa), successful attempts (scoa), and attempts to log in using a leaked password (pwd_leak).
“If your tenant does not use cross-origin authentication, but `scoa` or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack,” Okta said.
“If your tenant does use cross-origin authentication and either saw a spike of ‘scoa’ events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack,” the company added.
Customers are advised to immediately rotate any user passwords that might have been compromised in a credential stuffing attack.
To mitigate the risks associated with credential stuffing, Okta recommends enrolling users in passwordless, phishing resistant authentication, such as passkeys, which it supports in all its Auth0 plans.
The company also recommends enforcing strong password requirements and implementing multi-factor authentication (MFA), disabling tenants that do not use cross-origin authentication, restricting permitted origins for cross-origin authentication, and enabling breached password detection for tenants.
Okta’s warning comes roughly half a year after the company announced that the names and email addresses of all its customer support system users were stolen in an October 2023 cyberattack. The Auth0/CIC support case management system was not affected.
In September, threat actors targeted Okta’s IT service desk personnel, to convince them to reset MFA for high-privilege users at multiple US-based customers.
Shares of Okta (NASDAQ: OKTA) are trading roughly 5% higher in pre-market trading on Thursday after the company reported earnings on Wednesday and boosted its outlook. The company said it expects revenue of $2.530 billion to $2.540 billion for the full year, representing a growth rate of 12% year-over-year.
Related: Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies
Related: 340,000 Jason’s Deli Customers Potentially Impacted by Credential Stuffing Attack
