Attackers breached Okta's support system, stealing session tokens from 18,400 users. Learn the four control failures that enabled the attack, why MFA didn't help, how other organisation avoided compromise and get a security operator checklist with actions to take to protect your organisation.
Reading time 10 Minutes
The Okta support system breach is often described as a credential theft incident.
It wasn't.
The attackers never needed to defeat MFA, exploit a vulnerability, or compromise customer environments directly.
They accessed a support platform, extracted authentication artifacts from customer troubleshooting files, and moved into customer environments using already-authenticated sessions.
The deeper lesson is not about Okta.
It is about a category of systems most organisations fail to model correctly.
Support platforms have become identity infrastructure.
The organisations that understood this limited their exposure.
The organisations that didn't became breach victims.
In October 2023, attackers compromised Okta's customer support system, gaining access to files associated with 134 enterprise customers. A subsequent report run by the attacker exposed data on 18,400 users. Okta later confirmed active session hijacking in 5 customer environments, including major security vendors like BeyondTrust, Cloudflare, and 1Password. The breach exposed a fundamental classification failure: Okta treated the support platform as a support tool. Attackers treated it as identity infrastructure. The attackers were correct.
Business Impact: Attackers accessed customer accounts within 30 minutes of obtaining credentials. One affected customer detected the breach and alerted Okta on October 2, but Okta took 15 days to confirm and shut down attacker access. During this window, attackers could access administrative systems at multiple organizations.
Root Cause: Okta's support system, which handled sensitive customer data, lacked adequate security controls. Customers uploading troubleshooting files to support tickets unknowingly shared active session tokens. Standard multi-factor authentication offered no protection because attackers used session tokens already validated by MFA. Support systems function as unmonitored identity infrastructure.
Why This Matters: Vendor support systems are rarely evaluated as security risks despite privileged access to customer authentication artifacts. Microsoft detects 39,000 session token attacks per day. Token replay attacks increased 111% year-over-year. Average breach cost: $4.88 million. When vendors get breached, breach costs extend to each affected customer organisation.
The Control Failure: Organisations that avoided compromise had additional authorisation checks beyond username and password. BeyondTrust required device verification in addition to credentials, blocking the attack despite credential theft. Most organisations lack these layered controls.
Methodology note: This analysis is based on publicly available vendor disclosures, official incident reports, and cited industry threat intelligence. All statistics are sourced from primary references listed below. Timeline dates reflect public disclosure dates unless otherwise noted.
Note: Timeline dates are based on publicly available information from official incident disclosures and vendor advisories. Dates reflect when events were disclosed or documented, not necessarily when they were first detected internally.
September 28, 2023
Event: BeyondTrust uploads HAR file to Okta support for troubleshooting
Signal Available to Defenders: HAR file upload event logged in support system
Source: BeyondTrust Official Disclosure
September 28, 2023 (within 30 minutes)
Event: Threat actor accesses BeyondTrust's HAR file containing session tokens
Signal Available to Defenders: Anomalous access to customer support files; BeyondTrust detects attack attempt within 30 minutes through their own monitoring
Detection Opportunity: Anomaly detection on support system access patterns
Source: BeyondTrust Official Disclosure, Okta Root Cause Analysis
October 2, 2023
Event: BeyondTrust alerts Okta to suspected breach
Signal Available to Defenders: Customer-initiated security alert; external notification of compromise
Containment Failure: 4-day gap between BeyondTrust's detection and Okta's formal acknowledgement. BeyondTrust actively escalated during this period and had difficulty getting Okta to confirm the breach.
Source: Okta Root Cause Analysis
October 17, 2023
Event: Okta disables the service account and terminates associated sessions
Operational Impact: 15-day delay from customer alert to vendor confirmation; attackers maintained access during investigation period
Containment Failure: Extended detection lag enabled prolonged unauthorised access to 134 customer accounts
Source: Okta Root Cause Analysis
Post-Breach Intelligence:
→ Microsoft detects 39,000 session token attacks per day (industry baseline)
→ Token replay attacks increased 111% year-over-year in 2023
→ Okta's default session token lifespan: 2 hours. This is a sufficient operational window for attackers operating within the token's validity window.
Most breach investigations focus on how attackers got in.
This incident raises a different question:
What happens when a customer discovers a vendor breach before the vendor does?
That scenario reverses the assumptions built into most incident response plans. Escalation paths, communication procedures, and vendor management processes generally assume the vendor is the source of the warning. The Okta incident demonstrated what happens when that assumption fails.
Most breach analyses focus on the technical failure. This one requires examining an organisational failure that compounded every technical mistake that preceded it.
BeyondTrust detected the attack on September 28, 2023. This was the same day the HAR file was uploaded. Their own monitoring flagged anomalous activity within 30 minutes. They identified Okta's support system as the likely source and began escalating to Okta immediately.
Okta did not confirm the breach until October 17. That is 15 days after BeyondTrust's formal alert on October 2, and 19 days after the initial attack.
This is not a detection failure. BeyondTrust detected it. This is a vendor response failure, and it is the element of this breach that most organisations have not built a defence against.
The Reversal Nobody Plans For
Enterprise security programs are built around a standard assumption: vendors alert customers when something goes wrong. Incident response plans, escalation paths, and SLA frameworks are all designed around that direction of information flow.
The Okta breach inverted it. A customer detected a vendor's breach before the vendor did, then spent days attempting to get the vendor to accept that finding. BeyondTrust's security team had to escalate repeatedly before Okta formally acknowledged the compromise.
This creates a specific organisational risk that almost no security program has mapped: what happens inside your vendor when you tell them they have been breached?
The Decision Environment
Okta had already experienced a significant breach in early 2022, related to the Lapsus$ compromise of a third-party support contractor. By October 2023, acknowledging a second major compromise of its support infrastructure within 18 months carried substantial reputational, legal, and commercial weight.
The 15-day gap between customer alert and vendor confirmation was almost certainly not purely a technical investigation lag. It reflects a decision environment under significant organisational pressure. This is the kind of pressure that exists at every large vendor and that no compliance framework currently measures.
This is not an accusation. It is a structural observation: the incentives facing a vendor when a customer reports a breach of the vendor's own systems are not aligned with rapid confirmation and disclosure. Security operators need to account for this misalignment explicitly.
Note: The internal decision-making process at Okta during this period has not been publicly documented. The above reflects analytical inference based on the documented timeline and organisational context.
The Question Your Programme Hasn't Answered
The standard vendor risk question is: how long does it take your vendors to detect a breach?
The harder question, exposed by this incident, is: what is your response plan when your vendor does not believe you?
Specifically:
→ At what point do you escalate beyond the vendor's support team to their security organisation?
→ At what point do you treat unconfirmed vendor compromise as confirmed for your own containment purposes?
→ Do you have pre-authorised containment actions you can take unilaterally? These include session termination, credential rotation, and access suspension without waiting for vendor confirmation.
BeyondTrust answered the last question correctly. While waiting for Okta to confirm, they treated the compromise as real and acted on their own systems accordingly. That decision, not the eventual vendor confirmation, is what limited their exposure.
The Operator Implication
Vendor breach response requires inverting the normal alert dynamic. Build the response capability before you need it:
→ Establish a direct escalation path to your critical vendors' security teams, not their support desks. Test it before an incident.
→ Define internal thresholds: at what confidence level do you begin unilateral containment, independent of vendor confirmation?
→ Include vendor response timelines in your vendor risk scoring, not just detection timelines. A vendor that takes 15 days to confirm a customer-reported breach is a different risk profile than one that confirms within 24 hours.
The technical controls in this analysis address how attackers move. This section addresses the gap that gave them 15 days to do it.
Most organisations treat HAR files as troubleshooting data.
Attackers treat them as credential repositories.
A HAR (HTTP Archive) file captures browser-to-server communications and is commonly requested by support teams when diagnosing authentication, performance, or application issues.
Depending on how it is generated, a HAR file may contain:
→ Session cookies
→ Session tokens
→ Authentication headers
→ CSRF tokens
→ Internal application URLs
→ API requests and responses
→ User identifiers
→ Browser metadata
In many environments, a HAR file effectively becomes a snapshot of an authenticated session.
This creates a dangerous security paradox.
Security teams routinely apply strict controls to password vault exports, privileged credentials, and authentication databases while sending HAR files to vendors with little scrutiny.
The Okta breach demonstrated why this assumption is dangerous.
The attackers did not need to steal passwords.
The passwords had already done their job.
The HAR files contained proof that authentication had already occurred.
Once attackers obtained those artifacts, they inherited the trust established by the legitimate user.
Operational Lesson:
Treat HAR files, browser session exports, troubleshooting logs, and authentication traces as privileged identity assets.
If a file can recreate trust, it deserves the same protection as credentials.
Attackers didn't steal authentication.
They stole proof that authentication had already happened.
One of the most common misconceptions about the Okta incident is that attackers bypassed multi-factor authentication.
They did not.
MFA functioned exactly as designed.
The legitimate users successfully authenticated.
The problem was what happened afterward.
The session tokens stored inside customer HAR files represented already-authenticated sessions.
When attackers extracted those tokens, they inherited the outcome of a successful MFA process.
This distinction matters.
The attack did not defeat authentication.
It exploited trust that had already been established.
This is why session hijacking continues to grow despite widespread MFA adoption.
Many organisations focus heavily on strengthening authentication while investing far less effort into protecting the artifacts created after authentication succeeds.
The lesson from Okta is simple:
Authentication and authorisation are not the same thing.
→ Authentication proves identity.
→ Authorisation determines access.
→ When possession of a session token automatically grants access, attackers only need to steal the token, not defeat MFA.

Each stage demonstrates how session artifacts bypass authentication controls when trust has already been established. The support system became the pivot point enabling lateral movement without triggering authentication challenges.
An exploit chain maps the sequence of steps attackers take from initial access to final impact, showing how security controls failed at each stage.
Initial Access: Threat actor used stolen credentials to access a service account in Okta's customer support case management system. No technical exploit was required. Valid credentials provided legitimate access to the support platform.
Privilege Escalation: The compromised service account was granted permissions to view and update customer support cases, including access to customer-uploaded HAR files. HAR (HTTP Archive) files contain complete records of browser-server interactions, including session tokens, cookies, and authentication headers uploaded by customers during normal troubleshooting workflows.
Lateral Movement: Session tokens extracted from HAR files could be used for session hijacking attacks. Attackers used stolen tokens to access customer administrative accounts without re-authentication. The tokens were created post-MFA, bypassing multi-factor authentication entirely.
Impact: Unauthorized access to files associated with 134 customer accounts, later expanded to 18,400 users. The threat actor was able to use session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom publicly shared their response to this event. Session hijacking enabled attacker movement that appeared as legitimate authenticated activity.
The control system refers to the layered security mechanisms organisations use to prevent, detect, and respond to attacks across discovery, identity governance, prioritisation, and segmentation.
Control: Asset Discovery & Threat Modelling
Gap Description: Support systems function as identity infrastructure but were not modelled as identity attack surfaces. Only 31% of organisations base their understanding of third-party risk on formal enterprise-wide assessments. The support system existed outside the scope of identity threat modelling despite privileged access to customer session data. Defenders classified the platform according to business purpose (support tool). Attackers classified it according to access capability (identity infrastructure).
Control: Credential Lifecycle Management
Gap Description: Support system credentials were compromised through stolen credential attack vector with no automated rotation or monitoring.
Control: Session Token Lifespan Management
Gap Description: Session tokens in HAR files had 2-hour default lifespans, providing sufficient operational window for attackers moving within 30 minutes.
Control: Sensitive Data Scrubbing
Gap Description: No automated scrubbing of session artifacts from customer-uploaded files before storage or access by support staff.
Control: Session Token Monitoring
Gap Description: Session token monitoring and anomaly detection absent or ineffective. Session hijacking attacks continue to grow despite widespread MFA adoption.
Control: Critical Asset Classification
Gap Description: Support systems not classified as critical infrastructure despite privileged access to customer authentication data.
Control: Vendor Security Assessment
Gap Description: No formal assessment of support system access controls or monitoring capabilities. Vendor risk assessments prioritised compliance over operational security.
Control: Security Monitoring Prioritization
Gap Description: Detection lag (15 days from customer alert to vendor confirmation) indicates inadequate prioritization of support system security monitoring.
Control: Supply Chain Visibility
Gap Description: Many third-party vendors don't maintain accurate inventories of their own supply chain products, leaving organisations unaware of downstream vulnerabilities.
Control: Authorisation-Layer Segmentation
Gap Description: The compromised support system had direct access to customer session artefacts without additional authorisation controls. BeyondTrust avoided compromise through non-default security policy: policies within BeyondTrust's Okta only allowed access to the admin console from managed devices with Okta Verify installed. Most customers lacked this authorisation-layer segmentation. The control that mattered wasn't authentication. It was authorisation policy preventing lateral movement from token possession to account access.
Attack Vector Maturity: Session token theft and replay is a mature, widely deployed technique.
Industry Baseline Threat Data:
→ Microsoft: 39,000 session token attacks detected daily
→ Token replay attacks: +111% YoY in 2023
→ 17 billion stolen cookie records recovered from dark web in 2024
→ 60% of Cisco Talos incident response cases in 2024 involved identity as key attack vector
Time-to-Exploit (TTE): Less than 30 minutes from HAR file upload to attacker access. This demonstrates operational tempo asymmetry favouring attackers.
Detection Lag: 15 days from customer alert (October 2) to vendor confirmation (October 17). This created an extended operational window for attackers.
Recurring Pattern: Cloudflare impacted by Okta breach for second time (previous incident disclosed March 2022), revealing persistent vendor risk that doesn't resolve through single incident response cycles.
Tactical (48-Hour Actions)
1 Scrub HAR files before upload: Implement automated or manual process to remove session tokens, cookies, and authentication headers from HAR files before sharing with vendor support teams. Operational overhead: minimal. Risk reduction: significant.
2 Implement session token monitoring: Deploy anomaly detection for session token usage patterns. Alert on: token replay from new geo location, token usage from multiple IPs simultaneously, token usage outside normal user behavior baseline.
3 Reduce session token lifespan: Decrease default session token duration from 2 hours to 15-30 minutes for high-privilege accounts. Implement token rotation for active sessions.
4 Implement authorisation-layer controls: Deploy BeyondTrust's approach. Default deny access with specific criteria required. Prevent token possession from automatically granting account access without additional authorisation checks.
Structural (90-Day Transformation)
1 Expand identity threat modelling to vendor support systems: Include vendor support platforms with access to customer session artefacts in formal identity attack surface assessments. Map data flows showing where session tokens, cookies, and authentication artefacts accumulate during normal operations.
2 Event-driven vendor risk assessment: Shift from annual compliance assessments to continuous operational security monitoring. Track: support system access controls, detection lag metrics, incident response timelines, monitoring capabilities for privileged access systems.
3 Implement session artifact lifecycle management: Establish policies for session token handling across the organization: automatic expiration, secure storage requirements, access logging, and automated scrubbing from troubleshooting data.
4 Deploy identity-based segmentation: Implement authorisation controls that separate authentication from authorisation. Token possession should not equal access. Additional policy checks are required before granting access to sensitive resources.
5 Build vendor detection capability assessment framework: Include detection lag, mean-time-to-acknowledge, and incident confirmation timelines in vendor risk scoring. The average global cost of a data breach is $4.88 million. Vendor detection failures amplify this exposure.
Any system that stores authentication artifacts is identity infrastructure, regardless of its intended purpose.
This principle extends beyond support systems.
It applies to:
→ Ticketing platforms
→ Troubleshooting repositories
→ Browser logs
→ Monitoring platforms
→ Security tools
→ Diagnostic exports
→ Collaboration systems containing authentication artifacts
Defenders often classify systems according to business purpose.
Attackers classify systems according to the access they can provide.
The difference between those two viewpoints frequently determines whether a breach is contained or expanded.
The organisations that recognized this implemented controls accordingly. The organisations that didn't paid the price.
If You Run a Security Program, Check This Now:
☐ Are vendor support systems included in your identity attack surface threat model?
☐ Do you scrub session tokens and authentication artifacts from HAR files, debug logs, and troubleshooting data before sharing with vendors?
☐ Do you monitor for session token replay attacks, anomalous token usage patterns, and token usage from unexpected geolocations?
☐ What is your default session token lifespan? Is it <30 minutes for high-privilege accounts?
☐ Do you have authorisation-layer controls that prevent token possession from automatically granting access?
☐ Can you measure vendor detection lag? Do you know how long it takes your vendors to confirm security incidents after your alert?
☐ Are third-party identities (contractors, partners, SaaS provider support accounts) in your asset inventory and monitored like internal identities?
The October 2023 Okta support system breach exposed a fundamental misclassification in enterprise security. Okta treated the support platform as a support tool. Attackers treated it as identity infrastructure. The attackers were correct.
These platforms accumulate session tokens, authentication artifacts, and trust credentials during normal troubleshooting operations. Four control system failures enabled this breach. Discovery failure: support systems with privileged access to session data were excluded from identity threat models. Identity governance failure: no session token lifecycle management, monitoring, or automated scrubbing of authentication artefacts from customer uploads. Prioritisation failure: vendor risk assessments focused on compliance rather than operational security capabilities like detection lag and monitoring. Segmentation failure: authentication without authorisation checks allowed token possession to equal account access.
Organisations that blocked the attack implemented authorisation-layer controls requiring device verification beyond credentials. This demonstrates that post-authentication authorisation policy, not multi-factor authentication alone, provides effective defence against session hijacking. Session token attacks increased 111% year-over-year. Microsoft detects 39,000 daily. The pattern repeats because defenders protect authentication while attackers exploit the artifacts created after authentication succeeds.
Immediate actions: scrub session tokens from troubleshooting files, implement token usage monitoring, reduce token lifespans for privileged accounts, and deploy authorisation controls separating authentication from access. Structural transformation: expand identity threat modelling to vendor support platforms, shift to event-driven vendor risk assessment tracking detection capabilities, and build frameworks measuring vendor security response timelines. Any system that stores authentication artifacts becomes identity infrastructure, regardless of intended purpose.
Attackers gained access to a service account inside Okta's support environment and accessed customer-uploaded HAR files containing session artifacts. These artifacts enabled session hijacking attacks against affected customers.
Not directly. MFA had already been successfully completed by legitimate users. Attackers stole session tokens that represented already-authenticated sessions and replayed them.
A HAR (HTTP Archive) file records browser-server communications and may contain session cookies, authentication headers, tokens, and other sensitive data useful for troubleshooting.
BeyondTrust implemented additional authorisation controls requiring managed-device verification before administrative access was granted. Possession of a valid session token alone was insufficient.
Support platforms should be treated as identity infrastructure because they often store authentication artifacts capable of granting access to sensitive systems.
🔗 Identity as Initial Access: Detection, Prevention & Enterprise Defence
This foundational article provides the comprehensive framework for understanding identity-based attacks as an initial access vector, establishing the control taxonomy and defensive principles applied in this MGM breach analysis.
Reading Time: Approximately 15 minutes
This analysis combines:
• public KEV reporting
• incident response research
• threat intelligence reporting
• operational vulnerability management observations
• publicly documented exploitation case studies
Operational recommendations are intended to support security leaders, SOC teams, vulnerability management programs, infrastructure teams, and executive decision-makers evaluating enterprise remediation readiness.
Timur Mehmet | Founder & Lead Editor
Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.
Contact:
This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:
Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections
Learn More: About Hackerstorm.com | FAQs
1. Okta Security. "Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation." November 3, 2023. https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause/
2. Okta Security. "October Customer Support Security Incident - Update and Recommended Actions." November 29, 2023. https://sec.okta.com/articles/october-security-incident-recommended-actions/
3. BeyondTrust. "BeyondTrust Discovers Breach of Okta Support Unit." October 2023. https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
4. Cloudflare. "How Cloudflare Mitigated Yet Another Okta Compromise." October 2023. https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
5. 1Password. "Okta Support System Incident and 1Password." October 23, 2023. https://blog.1password.com/okta-incident/
6. Obsidian Security. "Session Hijacking: How It Works, How to Stop It." https://www.obsidiansecurity.com/blog/session-hijacking-how-it-works-how-to-stop-it
7. Push Security. "2024 Identity Breaches." https://pushsecurity.com/blog/2024-identity-breaches
8. The Hacker News. "Session Hijacking 2.0: Latest Way That Attackers Are Evading MFA." September 2024. https://thehackernews.com/2024/09/session-hijacking-20-latest-way-that.html
9. Group-IB. "Session Hijacking Knowledge Hub." https://www.group-ib.com/resources/knowledge-hub/session-hijacking/
10. Cisco Duo. "Duo Passports: Patent-Pending Defense Against Session Hijacking." https://duo.com/blog/duo-passports-patent-pending-defense-against-session-hijacking
11. PwC. "Vendor Cybersecurity Risk." https://www.pwc.com/us/en/services/audit-assurance/digital-assurance-transparency/vendor-cybersecurity-risk.html
12. Frazier & Deeter. "Vendor Blind Spot: Why Third-Party Risk is Cybersecurity's Weakest Link." https://www.frazierdeeter.com/insights/article/vendor-blind-spot-why-third-party-risk-is-cybersecuritys-weakest-link/
13. Microsoft. "Microsoft Digital Defense Report 2023." https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023
(Cited for: 39,000 daily session token attacks; 111% YoY increase in token replay attacks)
14. IBM Security. "Cost of a Data Breach Report 2024." https://www.ibm.com/reports/data-breach
(Cited for: $4.88 million average breach cost)
15. Kaspersky. "More than 2 billion cookies with personal data stolen in 2023." 2024. https://www.kaspersky.com/about/press-releases/2024_more-than-2-billion-cookies-stolen-in-2023
16. Cisco Talos. "Cisco Talos Year in Review 2024." https://blog.talosintelligence.com/cisco-talos-2024-year-in-review/
(Cited for: 60% of IR cases involved identity as key attack vector)
17. PwC. "Global Digital Trust Insights 2024." https://www.pwc.com/gx/en/issues/cybersecurity/global-digital-trust-insights.html
This analysis synthesises information from official government cybersecurity advisories, threat intelligence from leading security vendors (Mandiant/Google Cloud), regulatory filings with the U.S. Securities and Exchange Commission, and Microsoft's enterprise telemetry covering 78+ trillion security signals per day. All technical attribution and threat actor TTPs are derived from these authoritative sources rather than media reporting.
COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.