Identity services provider Okta revealed that unknown attackers gained access to its support case management system using stolen credentials.

According to Okta’s Chief Security Officer David Bradbury, the intruders were able to view files uploaded by certain Okta customers as part of recent support cases. He added the production Okta service has not been impacted by the incident.

“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users,” the company wrote, adding that it has notified all impacted customers and has taken some measures, including the revocation of embedded session tokens.

“In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it,” Okta said.

According to a report from cybersecurity journalist Brian Krebs, the attackers had access to Okta’s platform for at least two weeks before the incident was fully contained.

Identity management company BeyondTrust said it was among customers impacted by the breach. According to the company’s Chief Technology Officer Marc Maiffret, on October 2, 2023, BeyondTrust’s security team detected an unauthorized attempt to use an Okta account assigned to one of their engineers to create an administrator account using a valid session cookie stolen from Okta’s support system. The team blocked all access and verified that the attacker did not gain access to any systems.

BeyondTrust said it had informed Okta of the breach on October 2 but had not received any response. Okta’s Deputy Chief Information Security Officer Charlotte Wylie told Krebs that the company initially believed that BeyondTrust’s alert was not a result of a breach in its systems. But she said that by October 17, the company had identified and contained the incident.

Okta did not reveal how many customers were affected by the security breach.