Okta Warns Customers of Credential Stuffing Attacks

In a recent advisory, Okta, a leading identity and access management services provider, sounded the alarm over a rise in credential stuffing attacks targeting online services. Let’s delve into the details of this warning and understand the implications.

Overview of the Threat

Okta reported a significant increase in the frequency and scale of credential stuffing attacks against online services in recent weeks. These attacks have been fuelled by the widespread availability of residential proxy services, lists of previously stolen credentials, and automation tools. The surge in attacks poses a severe threat to the security of user accounts and sensitive data.

Observations by Security Experts

Duo Security and Cisco Talos also observed large-scale brute-force attacks against various targets, including VPN services, web application authentication interfaces, and SSH services. The attacks, originating from TOR exit nodes and other anonymizing tunnels and proxies, targeted VPN appliances and routers from multiple vendors.

Modus Operandi of Credential Stuffing Attacks

Credential stuffing attacks involve the automated trial of username and password combinations obtained from previous data breaches or phishing campaigns. Threat actors exploit the reuse of login credentials across multiple accounts, attempting to gain unauthorised access to compromised accounts.

Recommendations for Organisations

  • Enable ThreatInsight in Log and Enforce Mode for proactive IP address blocking.
  • Deny access from anonymizing proxies to prevent attacks from dubious sources.
  • Switch to Okta Identity Engine for enhanced security features.
  • Utilize CAPTCHA challenges and passwordless authentication with Okta FastPass.
  • Implement Dynamic Zones to manage access based on geo-location and other criteria.
Okta's Warning on Credential Stuffing Attacks
Blocking anonymized requests from Admin Console > Settings > Features
Okta

Implementing these recommendations can fortify an organisation’s defence against credential stuffing attacks, ensuring a safer online environment for users and stakeholders.

Conclusion

Credential stuffing attacks pose a significant threat to the security of online services and user accounts. By heeding Okta’s warning and implementing robust security measures, Okta customers can better protect themselves against these malicious activities and safeguard their sensitive data.

Another approach to create a safer cyber world is to not use the typical password based authentication. By eliminating passwords, organizations can improve their defences, increase security and reduce the risk of future incidents. Typical cyber attacks such as Credential Stuffing are not applicable to Passwordless authentication, so the best way to move forward is to #gopasswordless

Read Also

Unpacking Okta’s Recent Security Breach

Okta Breach Part 2: Unveiling the Full Scope and Impact

Another Password Manager Breached – Norton

In January, 2023 Gen Digital, a firm previously popular as Symantec and NortonLifeLock , found itself targeted by a significant Credential Stuffing attack. The attack resulted in the compromise of thousands of user accounts.

Just weeks prior to this incident, LastPass, a prominent competitor of Gen Digital in the password manager market, fell victim to a breach. This breach followed a prior cyberattack against LastPass in August. According to LastPass, the hackers leveraged technical data pilfered during the August cyberattack to gain unauthorized access to its cloud storage system.

It’s worth noting the irony here – the very software designed to fortify defences against cyber attacks found itself in the crosshairs of one. To draw a parallel, it’s akin to a scenario where the police station itself becomes the target of a burglary.

Credential Stuffing

Credential stuffing refers to the use of credentials such as username, email id and personal information from previous security breaches. These credentials are fed to other login systems to gain access to other websites. Unlike other cyber attacks, Credential Stuffing does not require brute force. Instead it uses a simple web solution to stuff thousands of stolen credentials into login systems. Credential stuffing is one of the oldest tricks in the book. It’s very easy to fall victim if one uses the same or similar credentials on multiple sites.

Lost one password? Alas you lost them all - Norton Credential stuffing attack.

I recently explored the website “Have I been pwned” and was shocked to see one of my personal email ids compromised in a previous attack. Going through their listing on breached websites made me realise how unsafe our credentials and information are, and how easily one can gain access to it.

Impact of the Incident

In an internal investigation in December 2022, NortanLifeLock detected “unusually large volume” of login attempts. They found that a malicious actor was using a list of credentials obtained from illegal marketplaces on “dark web”.

Nortan commented that 925,000 people were targeted in a credential-stuffing attack. It is probable that the data does contain names, phone numbers and addresses of users. The attackers might also have access to Norton Password Manager users’ private vault data. This vault contains stored passwords for other online accounts. The firm is not commenting on how much customer data actually got a negative impact because of the attack.

Nortan relaeased a warning to it’s users after failing to reject the mass login attempt. They indicated that they “strongly believe that an unauthorised third party knows and has utilised your username and password for your account.” They also suggested the users to use 2 step authentication systems and provided free credit monitoring services to affected users.

Amplification Effect

The Password managers are a hot target because they provide adversaries with an amplified power to gain access to multiple accounts by compromising one password manager account.

As they say putting all the eggs in one basket is a bad strategy. Keeping all passwords in one manager will have a huge impact if compromised.

Passwords are not assets; they represent security vulnerabilities. Rather than locking them away in a vault, consider going passwordless. #GoPasswordless