Credential Attacksmedium

Okta Credential Stuffing: 18,000 Customer Accounts Tested with Stolen Passwords

Using previously stolen credentials from other breaches, attackers conducted a credential stuffing campaign against Okta accounts in October 2022, successfully accessing a number of customer accounts and enumerating others.

Okta·2022·2 min read

Background

Okta's identity platform is explicitly designed to protect against exactly this type of attack — making Okta itself being targeted by credential stuffing particularly notable. The attack was separate from the Lapsus$ Okta breach and demonstrated different attack surfaces.

The Attack

Attackers used large lists of email address and password pairs from prior breach compilations to systematically attempt login to Okta accounts. Where users had reused passwords from other breached services and had not enabled strong MFA, the attacks succeeded. The campaign was detected through anomalous authentication log patterns — large volumes of login attempts from diverse geographic locations for the same account.

Response

Okta detected the campaign through automated anomaly detection on authentication patterns. Affected accounts were locked and owners notified. Okta published guidance to customers emphasising MFA enforcement. The company analysed the compromised credential lists and identified overlaps with known breach compilations.

Outcome

The attack, while a relatively small number of accounts, was particularly embarrassing given Okta's mission as an identity security provider. The incident reinforced Okta's messaging about mandatory MFA enforcement and prompted enterprise customers to review their MFA bypass policies.

Key Takeaways

  1. Even identity providers can be credential-stuffed — ensure MFA is enforced, not optional, for all accounts
  2. Monitor authentication logs for patterns consistent with credential stuffing — many failed attempts across many accounts
  3. Have I Been Pwned-style breach monitoring for your user base can identify users with credentials in public dumps
  4. Users with MFA enabled were almost entirely protected — this is the clearest possible demonstration of MFA value
credential stuffingOktaMFA bypasspassword reuseidentity provider

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks