Okta warns that a Customer Identity Cloud (CIC) feature is being targeted in credential stuffing attacks, stating that numerous customers have been targeted since April.

Okta is a leading identity and access management company providing cloud-based solutions for secure access to apps, websites, and devices. It offers single sign-on (SSO), multi-factor authentication (MFA), universal directory, API access management, and lifecycle management.

A credential stuffing attack is when threat actors create large lists of usernames and passwords stolen in data breaches or by information-stealing malware and then use them to try and breach online accounts.

Okta says it identified credential stuffing attacks starting on April 15, 2024, which targeted endpoints utilizing Customer Identity Cloud’s cross-origin authentication feature.

“Okta has determined that the feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks,” reads Okta’s announcement.

“As part of our Okta Secure Identity Commitment and commitment to customer security, we routinely monitor and review potentially suspicious activity and proactively send notifications to customers.”

Okta’s Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted. For this feature to work, customers must grant access to the URLs from which cross-origin requests can originate.

Okta states these URLs are targeted in credential stuffing attacks and should be disabled if they are not in use.

The company has notified customers targeted in these attacks with remediation guidance on securing their accounts.

It’s worth noting that Okta warned its customer base about “unprecedented” credential stuffing attacks late last month, originating from the same threat actors who have been targeting Cisco Talos products since March 2024.

contacted Okta to ask how many customers have been impacted by the credential stuffing attacks.

Detecting attacks

Okta recommends that admins check logs for ‘fcoa,’ ‘scoa,’ and ‘pwd_leak’ events that indicate cross-origin authentication and login attempts using leaked credentials.

If cross-origin authentication isn’t used on the tenant but ‘fcoa’ and ‘scoa’ are present, this indicates you’re targeted by credential stuffing attacks. If cross-origin authentication is used, look for abnormal spikes in ‘fcoa’ and ‘scoa’ events.

As the suspicious activity started on April 15, Okta recommends that customers review logs from that point in time.

In addition to the checks, Okta suggests the following mitigations:

  • Rotate compromised user credentials immediately (instructions available here)
  • Implement passwordless, phishing-resistant authentication, with passkeys being the recommended option.
  • Enforce strong password policies and implement multi-factor authentication (MFA).
  • Disable cross-origin authentication if not used.
  • Remove permitted cross-origin devices that are not in use.
  • Restrict permitted origins for cross-origin authentication if necessary.
  • Enable breached password detection or Credential Guard, depending on the plan.

Customers needing further assistance can reach out to Okta’s Customer Support or its community forums.