Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Okta warns users to be aware of damaging cyberattacks targeting customers

A zoomed-in picture of a computer screen displaying a login window with a password typed in.

Identity and access management giant Okta has warned customers of an ongoing credential stuffing attack against one of its tools and suggested users either disable it, or apply a set of mitigations to remain secure.

An announcement from the company noted how hackers have been abusing the cross-origin authentication feature in Customer Identity Cloud (CIC) to mount credential stuffing attacks for several weeks now.

"Okta has determined that the feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks," the announcement read. "As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers."

Stuffing the login page

Okta Customer Identity Cloud is a comprehensive identity and access management (IAM) platform designed to manage and secure customer identities. Cross-origin resource sharing (CORS), being abused, is a security mechanism that allows web applications running at one origin (domain) to request resources from a server at a different origin. 

Finally, credential stuffing attack is when hackers “stuff” an online login page with countless credentials obtained elsewhere, in an attempt to break into different accounts. 

With CORS, customers add JavaScript to their websites and applications, which sends authentication calls to the Okta API hosted, BleepingComputer explains. However, the feature only works when customers grant access to the URLs from which cross-origin requests can be created. 

Hence, if these URLs are not being actively used, they should be disabled, Okta said.

Those interested to see if their infrastructure was targeted already should check their logs for “fcoa”, “scoa”, and “pwd_leak” events, which are evidence of cross-origin authentication and login attempts. If the tenant doesn’t use cross-origin authentication but the logs show fcoa and scoa events, then a credential stuffing attempt has been made. 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.