Okta is warning that a cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential stuffing attacks orchestrated by threat actors.

"We observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers," the Identity and access management (IAM) services provider said.

The suspicious activity commenced on April 15, 2024, with the company noting that it "proactively" informed customers that had the feature enabled. It did not disclose how many customers were impacted by the attacks.

Credential stuffing is a type of cyber attack in which adversaries attempt to sign in to online services using an already available list of usernames and passwords obtained either from previous data breaches, or from phishing and malware campaigns.


As recommended actions, users are being asked to review tenant logs for any signs of unexpected login events – failed cross-origin authentication (fcoa), success cross-origin authentication (scoa), and breached password (pwd_leak) – rotate credentials, and restrict or disable cross-origin authentication for tenants.

Tenants are likely to have been targeted in a credential stuffing attack regardless of whether cross-origin authentication is used or not if scoa or fcoa events are present in event logs and if there is an increase in the failure-to-success events.

Other mitigations include enabling breached password detection or Credential Guard, prohibiting users from choosing weak passwords, and enrolling them in passwordless, phishing resistant authentication using new standards such as passkeys.

The development arrives a month after the company alerted of an uptick in the "frequency and scale" of credential stuffing attacks aimed at online services that's facilitated using residential proxy services.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.