Okta warns users to be aware of damaging cyberattacks targeting customers

A zoomed-in picture of a computer screen displaying a login window with a password typed in
(Image credit: Future)

Identity and access management giant Okta has warned customers of an ongoing credential stuffing attack against one of its tools and suggested users either disable it, or apply a set of mitigations to remain secure.

An announcement from the company noted how hackers have been abusing the cross-origin authentication feature in Customer Identity Cloud (CIC) to mount credential stuffing attacks for several weeks now.

"Okta has determined that the feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks," the announcement read. "As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers."

Stuffing the login page

Okta Customer Identity Cloud is a comprehensive identity and access management (IAM) platform designed to manage and secure customer identities. Cross-origin resource sharing (CORS), being abused, is a security mechanism that allows web applications running at one origin (domain) to request resources from a server at a different origin. 

Finally, credential stuffing attack is when hackers “stuff” an online login page with countless credentials obtained elsewhere, in an attempt to break into different accounts. 

With CORS, customers add JavaScript to their websites and applications, which sends authentication calls to the Okta API hosted, BleepingComputer explains. However, the feature only works when customers grant access to the URLs from which cross-origin requests can be created. 

Hence, if these URLs are not being actively used, they should be disabled, Okta said.

Those interested to see if their infrastructure was targeted already should check their logs for “fcoa”, “scoa”, and “pwd_leak” events, which are evidence of cross-origin authentication and login attempts. If the tenant doesn’t use cross-origin authentication but the logs show fcoa and scoa events, then a credential stuffing attempt has been made. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.