Today, March 22, 2022 at 03:30 UTC we learnt of a compromise of Okta. We use Okta internally for employee identity as part of our authentication stack. We have investigated this compromise carefully and do not believe we have been compromised as a result. We do not use Okta for customer accounts; customers do not need to take any action unless they themselves use Okta.
Investigation and actions
Our understanding is that during January 2022, hackers outside Okta had access to an Okta support employee’s account and were able to take actions as if they were that employee. In a screenshot shared on social media, a Cloudflare employee’s email address was visible, along with a popup indicating the hacker was posing as an Okta employee and could have initiated a password reset.
We learnt of this incident via Cloudflare’s internal SIRT. SIRT is our Security Incident Response Team and any employee at Cloudflare can alert SIRT to a potential problem. At exactly 03:30 UTC, a Cloudflare employee emailed SIRT with a link to a tweet that had been sent at 03:22 UTC. The tweet indicated that Okta had potentially been breached. Multiple other Cloudflare employees contacted SIRT over the following two hours.
The following timeline outlines the major steps we took following that initial 03:30 UTC email to SIRT.
Timeline (times in UTC)
03:30 – SIRT receives the first warning of the existence of the tweets.
03:38 – SIRT sees that the tweets contain information about Cloudflare (logo, user information).
03:41 – SIRT creates an incident room to start the investigation and starts gathering the necessary people.
03:50 – SIRT concludes that there were no relevant audit log events (such as password changes) for the user that appears in the screenshot mentioned above.
04:13 – Reached out to Okta directly asking for detailed information to help our investigation.
04:23 – All Okta logs that we ingest into our Security Information and Event Management (SIEM) system are reviewed for potential suspicious activities, including password resets over the past three months.
05:03 – SIRT suspends accounts of users that could have been affected.
We temporarily suspended access for the Cloudflare employee whose email address appeared in the hacker’s screenshots.
05:06 – SIRT starts an investigation of access logs (IPs, locations, multifactor methods) for the affected users.
05:38 – First tweet from Matthew Prince acknowledging the issue.
Because it appeared that an Okta support employee with access to do things like force a password reset on an Okta customer account had been compromised, we decided to look at every employee who had reset their password or modified their Multi-Factor Authentication (MFA) in any way since December 1 up until today. Since Dec. 1, 2021, 144 Cloudflare employees had reset their password or modified their MFA. We forced a password reset for them all and let them know of the change.
05:44 – A list of all users that changed their password in the last three months is finalized. All accounts were required to go through a password reset.
06:40 – Tweet from Matthew Prince about the password reset.
07:57 – We received confirmation from Okta that there were no relevant events that may indicate malicious activity in their support console for Cloudflare instances.
How Cloudflare uses Okta
Cloudflare uses Okta internally as our identity provider, integrated with Cloudflare Access to guarantee that our users can safely access internal resources. In previous blog posts, we described how we use Access to protect internal resources and how we integrated hardware tokens to make our user authentication process more resilient and prevent account takeovers.
In the case of the Okta compromise, it would not suffice to just change a user’s password. The attacker would also need to change the hardware (FIDO) token configured for the same user. As a result it would be easy to spot compromised accounts based on the associated hardware keys.
Even though logs are available in the Okta console, we also store them in our own systems. This adds an extra layer of security as we are able to store logs longer than what is available in the Okta console. That also ensures that a compromise in the Okta platform cannot alter evidence we have already collected and stored.
Okta is not used for customer authentication on our systems, and we do not store any customer data in Okta. It is only used for managing the accounts of our employees.
The main actions we took during this incident were:
user.session.impersonation.initiate. It’s unclear from communications we’ve received from Okta so far who we would expect the System Log Actor to be from the compromise of an Okta support employee.
What to do if you are an Okta customer
If you are also an Okta customer, you should reach out to them for further information. We advise the following actions:
a. Check all password and MFA changes for your Okta instances.
b. Pay special attention to support initiated events.
c. Make sure all password resets are valid or just assume they are all under suspicion and force a new password reset.
d. If you find any suspicious MFA-related events, make sure only valid MFA keys are present in the user’s account configuration.
Cloudflare’s Security and IT teams are continuing to work on this compromise. If further information comes to light that indicates compromise beyond the January timeline we will publish further posts detailing our findings and actions.
We are also in contact with Okta with a number of requests for additional logs and information. If anything comes to light that alters our assessment of the situation we will update the blog or write further posts.