It hasn’t been noticed much by the public, but a recent data breach is causing buzz among cybersecurity professionals. The Okta breach compromised 134 business accounts, with follow-up attacks impacting only five Okta customers, a small number compared to more highly publicized incidents nowadays. But the Okta attack represents a new threat many of us had feared would someday come.
Okta made several mistakes, but the key vulnerability was a service account tied to their internal customer support system. A service account is a username/password associated with a software service, not a human user. When a software application accesses another application behind the scenes (or database or web service), the second application typically requires logon credentials.
Service accounts can be the Achilles heel of complex systems. They typically have more privileges than regular human accounts. Their passwords can’t be changed without breaking applications, so they are rarely ever changed. Their passwords often can’t be saved securely, so relying applications keep them in text files or hard code them. They can’t use stronger 2-factor authentication because – unlike humans – software applications don’t have fingerprints, fobs, or phones.
To mitigate these vulnerabilities, service accounts should be inaccessible to human users. Some platforms do allow a service account to be truly “faceless” – not usable for interactive logons – but this is rare. It appears an Okta employee used a service account to log onto their customer support system, while also logged into their personal Google account. Hackers were able to steal the service account password from the employee’s browser or Google account, using it to access confidential data about Okta customers undetected over a period of two weeks. Five customers were subsequently breached using session tokens stolen from Okta.
Service account attacks have gone from theoretical to real. This is only the beginning. There will be more. Technology makers must take steps now to ensure service accounts can be fully non-interactive, and subject to extensive logging, monitoring, and alerting. Employees must be educated to never logon with service accounts. Service account passwords must reside in encrypted, access-controlled storage. Procedures for safely changing those passwords must be developed and tested.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.