Okta | Breaking Cybersecurity News | The Hacker News

We hear this a lot: "We've got hundreds of service accounts and AI agents running in the background. We didn't create most of them. We don't know who owns them. How are we supposed to secure them?" Every enterprise today runs on more than users. Behind the scenes, thousands of non-human identities, from service accounts to API tokens to AI agents, access systems, move data, and execute tasks around the clock. They're not new. But they're multiplying fast. And most weren't built with security in mind. Traditional identity tools assume intent, context, and ownership. Non-human identities have none of those. They don't log in and out. They don't get offboarded. And with the rise of autonomous agents, they're beginning to make their own decisions, often with broad permissions and little oversight. It's already creating new blind spots. But we're only at the beginning. In this post, we'll look at how non-human identity risk is evolving, where most organizations are still exposed, and...

The AI revolution isn't coming. It's already here. From copilots that write our emails to autonomous agents that can take action without us lifting a finger, AI is transforming how we work. But here's the uncomfortable truth: Attackers are evolving just as fast. Every leap forward in AI gives bad actors new tools — deepfake scams so real they trick your CFO, bots that can bypass human review, and synthetic identities that slip quietly into your systems. The fight is no longer at your network's edge. It's at your login screen. And that's why identity has become the last line of defense . Why This Matters Now Legacy security can't keep up. Traditional models were built for slower threats and predictable patterns. AI doesn't play by those rules. Today's attackers: Scale at machine speed. Use deepfakes to impersonate trusted people. Exploit APIs through autonomous agents. Create fake "non-human" identities that look perfectly legitimate. The only security control that can ada...

Is Managing Customer Logins and Data Giving You Headaches? You're Not Alone! Today, we all expect super-fast, secure, and personalized online experiences. But let's be honest, we're also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it's a whole new ball game! If you're dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you . Join us for " Navigating Customer Identity in the AI Era ," where we'll dive into the Auth0 2025 Customer Identity Trends Report . We'll show you what's working, what's not, and how to tweak your strategy for the year ahead. In just one session, you'll get practical answers to real-world challenges like: How AI is changing what users expect – and where they're starting to push ba...

Cybersecurity firm Expel, in an update shared on July 25, 2025, said it's retracting its findings about a phishing attack that it said leveraged cross-device sign-in to get around FIDO account protections despite being not in physical proximity to the authenticating client device. "The evidence does show the targeted user's credentials (username and password) being phished and that the attacker successfully passed password authentication for the targeted user," the company said . "It also shows the user received a QR code from the attacker. This QR code, when scanned by a mobile device, initiates a FIDO Cross-Device Authentication flow, which according to FIDO specification requires local proximity to the device which generated the QR code (the WebAuthn client). When properly implemented, without proximity, the request will time out and fail." The company further said that while the attackers managed to breach the password barrier, further analysis of t...

Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities (NHIs) come in. NHIs — including application secrets, API keys, service accounts, and OAuth tokens — have exploded in recent years, thanks to an ever-expanding array of apps and services that must work together and identify one another on the fly. In some enterprises, NHIs now outnumber human identities by as much as 50-to-1 .  However, NHIs introduce unique risks and management challenges that have security leaders on high alert. Forty-six percent of organizations have experienced compromises of NHI accounts or credentials over the past year, and another 26% suspect they have, according to a recent report from Enterprise Strategy Group .  It's no wonder NHIs — and the difficulties they present with oversight, risk reduction, and gove...

Google has disclosed details of a financially motivated threat cluster that it said "specializes" in voice phishing (aka vishing ) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion. The tech giant's threat intelligence team is tracking the activity under the moniker UNC6040 , which it said exhibits characteristics that align with threat groups with ties to an online cybercrime collective known as The Com . "Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements," the company said in a report shared with The Hacker News. This approach, Google's Threat Intelligence Group (GTIG) added, has had the benefit of tricking English-speaking employees into performing actions that give the threat actors access or lead to the sharing of valua...

In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone.  This coverage is extremely valuable for the cybersecurity community as it raises awareness of the battles that security teams are fighting every day. But it's also created a lot of noise that can make it tricky to understand the big picture.  The headline story from the recent campaign against UK retailers is the use of help desk scams. This typically involves the attacker calling up a company's help desk with some level of information — at minimum, PII that allows them to impersonate their victim, and sometimes a password, leaning heavily on their native English-speaking abilities to trick the help desk operator into giving them access to a user account.  Help Des...

While Okta provides robust native security features, configuration drift, identity sprawl, and misconfigurations can provide opportunities for attackers to find their way in. This article covers four key ways to proactively secure Okta as part of your identity security efforts. Okta serves as the cornerstone of identity governance and security for organizations worldwide. However, this prominence has made it a prime target for cybercriminals who seek access to valuable corporate identities, applications, and sensitive data. While Okta provides robust native security features and recommended best practices, maintaining proper security controls requires constant vigilance. Configuration drift, identity sprawl, and misconfigurations can provide attackers a way into Okta and other apps if left unchecked. This article covers four key ways Nudge Security can help you proactively secure Okta as part of your efforts to harden your identity security posture. 1. Continuous Configuration ...

Okta is warning that a cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential stuffing attacks orchestrated by threat actors. "We observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers," the Identity and access management (IAM) services provider said . The suspicious activity commenced on April 15, 2024, with the company noting that it "proactively" informed customers that had the feature enabled. It did not disclose how many customers were impacted by the attacks. Credential stuffing is a type of cyber attack in which adversaries attempt to sign in to online services using an already available list of usernames and passwords obtained either from previous data breaches, or from phishing and malware campaigns. As recommended actions, users are being asked to review tenant logs for any signs of unexpected login events – ...

Identity services provider Okta has disclosed that it detected "additional threat actor activity" in connection with the  October 2023 breach  of its support case management system. "The threat actor downloaded the names and email addresses of all Okta customer support system users," the company said in a statement shared with The Hacker News. "All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was not impacted by this incident." On top of that, the adversary is believed to have accessed reports containing contact information of all Okta certified users, some Okta Customer Identity Cloud (CIC) customers, and unspecified Okta employee information. However, it emphasized that the data does not include user credenti...

Identity and authentication management provider Okta on Friday disclosed that the  recent support case management system breach  affected 134 of its 18,400 customers. It further noted that the unauthorized intruder gained access to its systems from September 28 to October 17, 2023, and ultimately accessed HAR files containing session tokens that could be used for session hijacking attacks. "The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers," Okta's Chief Security Officer, David Bradbury,  said . Three of those affected include  1Password, BeyondTrust, and Cloudflare . 1Password was the first company to report suspicious activity on September 29. Two other unnamed customers were identified on October 12 and October 18. Okta formally  revealed  the  security event  on October 20, stating that the threat actor leveraged access to a stolen credential to access Okta's support case manageme...

Popular password management solution 1Password said it detected suspicious activity on its Okta instance on September 29 following the support system breach, but reiterated that no user data was accessed. "We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing," Pedro Canahuati, 1Password CTO,  said  in a Monday notice. The breach is said to have occurred using a session cookie after a member of the IT team shared a HAR file with Okta Support, with the threat actor performing the below set of actions - Attempted to access the IT team member's user dashboard, but was blocked by Okta Updated an existing IDP tied to our production Google environment Activated the IDP Requested a report of administrative users The company said it was alerted to the malicious activity after the IT team member received an email about the "requested" administrative user repor...

Identity services provider Okta on Friday disclosed a new security incident that allowed unidentified threat actors to leverage stolen credentials to access its support case management system. "The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases," David Bradbury, Okta's chief security officer, said . "It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted." The company also emphasized that its Auth0/CIC case management system was not impacted by the breach, noting it has directly notified customers who have been affected. However, it said that the customer support system is also used to upload HTTP Archive (HAR) files to replicate end user or administrator errors for troubleshooting purposes. "HAR files can also contain sensitive data, including cookies and session tokens, that malici...

The financially motivated threat actor known as  UNC3944  is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed. "UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group," the threat intelligence firm  said . "UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums." The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees' valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called  LAPSUS$ . While the group originall...

Identity services provider Okta on Friday warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions. "In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users," the company  said . The adversary then moved to abuse the highly privileged Okta Super Administrator accounts to impersonate users within the compromised organization. The campaign, per the company, took place between July 29 and August 19, 2023. Okta did not disclose the identity of the threat actor, but the tactics exhibit all the hallmarks of an activity cluster known as  Muddled Libra , which is said to share some degree of overlap with Scattered Spider and Scatter Swine. Central to the attacks is a comme...