Okta warns of credential stuffing attacks on the Customer Identity Cloud

May 30, 2024Press releaseCredential stuffing / incident response

Okta warns that a cross-origin authentication feature in the Customer Identity Cloud (CIC) is vulnerable to credential stuffing attacks orchestrated by threat actors.

“We have observed that the endpoints used to support the cross-origin authentication feature have been attacked via credential stuffing for a number of our customers,” said the identity and access management (IAM) service provider.

The suspicious activity began on April 15, 2024. The company said it “proactively” notified customers who had enabled the feature. It did not disclose how many customers were affected by the attacks.

Credential stuffing is a type of cyberattack in which attackers attempt to log into online services using a pre-existing list of usernames and passwords obtained either from previous data breaches or from phishing and malware campaigns.

Recommended actions include asking users to review tenant logs for signs of unexpected login events—failed cross-origin authentication (fcoa), successful cross-origin authentication (scoa), and compromised password (pwd_leak), rotate credentials, and restrict or disable cross-origin authentication for tenants.

If Scoa or FCOO events are present in event logs and the number of failed events is increasing, tenants are likely the target of a credential stuffing attack, regardless of whether cross-origin authentication is used or not.

Other defenses include enabling compromised password detection or Credential Guard, prohibiting users from choosing weak passwords, and enrolling users for passwordless, phishing-resistant authentication using new standards such as passkeys.

This development comes a month after the company highlighted an increase in the “frequency and magnitude” of credential stuffing attacks on online services conducted through residential proxy services.