Okta Cross-origin Authentication Feature in Customer Identity Cloud Targeted in Credential Stuffing Attacks

Share :

On May 28, 2024, Okta disclosed that the cross-origin authentication feature in Customer Identity Cloud (CIC) is being targeted by credential-stuffing attacks. These attacks involve threat actors using large lists of stolen usernames and passwords to gain unauthorized access to online services. Suspicious activity has been observed starting from April 15, prompting Okta to notify affected customers and provide guidance to mitigate the issue. 

Okta presents an appealing target for threat actors due to the extensive access they could attain upon compromise, combined with its widespread use in enterprise environments worldwide. Additionally, in this activity observed, threat actors can execute high-volume credential-stuffing attacks easily due to its simplicity. In 2023, MGM Resorts International suffered a $100 million loss in a ransomware attack orchestrated by the ALPHV/BlackCat group, who infiltrated their Okta Agent Servers. 


Implement Okta Provided Recommendations 

Arctic Wolf strongly recommends following the recommendations provided by Okta to mitigate this malicious activity. 

Immediate Actions: 

  • Rotate user credentials if compromised. 
  • For tenants not using cross-origin authentication, this endpoint can be disabled in the Auth0 Management Console. 

Additional Mitigations: 

  • Restrict permitted origins for necessary cross-origin authentication. 
  • Enable breached password detection or Credential Guard. 
  • Enforce strong password policies, requiring a minimum of 12 characters and blocking common passwords. 
  • Implement multi-factor authentication (MFA). 
  • Transition to passwordless, phishing-resistant authentication using passkeys. 



Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter