hCaptcha's review of the January 2022 Okta compromise. There was no impact to hCaptcha services.
On March 22, 2022 we were notified of a compromise of Okta that occurred in January 2022, in which an Okta support team account was compromised. This elevated access was apparently used to reset user accounts, and in combination with spear phishing attacks was used to target employees of other companies in order to compromise their networks.
Okta is one of the larger identity platforms, used to secure authentication and access control by thousands of organizations around the world.
Compromising an identity platform means, in the worst case, that attackers can potentially access any resource secured by that platform at any of its downstream customer companies
We do not use Okta internally, and no hCaptcha production assets are secured with Okta. There was no direct impact to hCaptcha from the Okta compromise.
hCaptcha Enterprise is natively supported by Okta for SAML SSO via the Okta OIN. This means some hCaptcha Enterprise customers can log in to manage their services via Okta SSO.
Okta also has native integration of hCaptcha challenges. Okta customers can enable this feature within the Okta login flow, but this interaction path does not appear to be affected by the compromise.
Our job was thus to confirm that no hCaptcha Enterprise customer was affected by their Okta integration.
Verifying hCaptcha Enterprise customers were not affected
After re-confirming none of our systems or teams used Okta, we extended our analysis further by auditing whether any Okta-mediated hCaptcha Enterprise logins showed abnormal activity.
hCaptcha Enterprise customers have rich audit logs available to simplify customer compliance audits, including logins to their Enterprise accounts and all service changes across Enterprise Organizations.
We used this data to run ex post facto trend analysis and anomaly detection on Enterprise activity since January 2022 where Okta was part of the SSO flow.
After manual review of trends and anomalies, no suspicious activity was found on these Okta-mediated logins in the January 01 - March 22 2022 timeframe.
The hCaptcha SOC will continue elevated monitoring of anomalies on Okta-mediated login accounts, and will reach out to any Enterprise customers immediately upon detection if any suspicious behavior is found in the future.
hCaptcha will also continue to monitor Okta-related news for compromise updates to confirm no further action is required. If needed, we will provide alternate access methods for existing Okta SSO-enabled hCaptcha Enterprise customers in the event this Okta compromise is determined to be of wider scale and scope, or those customers decide to move to an alternate identity platform.