In a new security advisory, Okta disclosed a vulnerability in the system that could allow users to log into their accounts without entering the correct password. Okta bypassed password authentication if the account username was 52 characters or more. In addition, that system needed to discover the “saved cache keys” of previous successful authentications. This means that the account owner must have a previous login history using that browser. Organizations that require multi-factor authentication were not affected, according to a notice the company sent to users.
Still, a 52-character username is easier to guess than a random password, and can be as simple as an email address that combines the user’s full name and the organization’s website domain. The company confirmed that the vulnerability was introduced as part of a standard update published on July 23, 2024, and that it discovered (and fixed) the issue on October 30. We currently recommend that customers who meet all of the vulnerability criteria: Check your access logs for the past few months.
Okta provides software that allows enterprises to easily add authentication services to their applications. For organizations with multiple apps, users can access a single, unified login without having to verify their identity in each application. The company did not say whether it knew who was affected by this particular issue, but the company did not say whether it was aware of anyone affected by this particular issue, but it did issue a statement after the threat group Lapsus$ had accessed the accounts of several users in the past. We will communicate with you more quickly.”
