Unprecedented Spike in Credential Stuffing Attacks on Okta Customers
Okta, one of the leading providers of identity and access management solutions, has recently sounded the alarm on a drastic increase in the number of credential stuffing attacks targeting its customers. These attacks are being carried out in an automated manner, with threat actors using lists of usernames and passwords obtained from the dark web to compromise user accounts.
According to a recent advisory by Okta, these attacks seem to be originating from the same infrastructure previously used in known brute-force and password-spraying attacks reported by Cisco Talos [1, 2]. Furthermore, all the attacks observed by Okta were found to have used the TOR anonymization network and various residential proxies, such as NSOCKS, Luminati, and DataImpulse.
Impact of the Attacks and Recommended Measures
Okta has reported that the attacks were particularly successful against organizations that are using the Okta Classic Engine with ThreatInsight configured in “Audit-only” mode instead of “Log and Enforce” mode. Similarly, organizations that have not restricted access from anonymizing proxies also saw a higher success rate of these attacks. However, Okta has clarified that only a small percentage of its customers were actually impacted by these attacks.
To protect its customers from these attacks, Okta has provided a set of measures that can be implemented at the network edge:
- Enable ThreatInsight in “Log and Enforce” mode, which proactively blocks IP addresses known for involvement in credential stuffing attacks before they can even attempt authentication.
- Restrict access from anonymizing proxies, which blocks requests that come through suspicious anonymizing services.
Related articles