2 min Security

Hackers deploy login credentials they stole at Okta to hack Cloudflare – update

Hackers deploy login credentials they stole at Okta to hack Cloudflare – update

Cloudflare delved deeper into the Okta data breach that occurred in November 2023. The company became one of the victims of this data breach and got hacked sometime later. Investigations now reveal that the hackers, in all likelihood, have ties to the Chinese government.

Cloudflare fell victim to a cyber attack on Nov. 23, 2023. The attack followed a data breach at Okta earlier that period in which hackers captured HAR files. These files contained information about browser activity and were used by the hackers in session hijacking attacks.

Cloudflare’s internal investigation revealed that the hackers penetrated an internal Atlassian server. The security team discovered the hack on Nov. 23, 2023, and subsequently locked the hackers out of the systems. The hackers reportedly first attempted to connect to the server on Nov. 14 to explore the virtual environment. On Nov. 22, the hackers set up permanent access and that access thus remained active for about one day.

Following the Okta hack

The researchers provide further insight into the relationship between the hack at Okta and the attack on Cloudflare. During the data breach, the hackers allegedly captured one access token and the data from three Cloudflare service accounts. That data enabled the attack on the Atlassian server.

The company admits to being at fault for not changing the login credentials after the Okta hack. It would have changed all credentials in the meantime. The identity and access provider did call for stricter security protocols to be applied and necessary action to be taken after the data breach was announced.

Fortunately, the impact of the attack on Cloudflare remains limited. For example, no customer data was reportedly stolen, and systems were not infected. The hacker caused no damage due to Cloudflare’s strong security, which includes access control, firewalls and zero trust tools, the company indicates.

Update: Okta reached out to us with a formal statement after publication. You can find that statement below:

“This is not a new incident or disclosure on the part of Okta. On October 19th, we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident. We can’t comment on our customers’ security remediations.”

Also read: Okta reports data theft from customer service ticket system -update