All news with #okta tag

🔐 Google Threat Intelligence Group (GTIG) details UNC6671, operating as "BlackFile," which uses large-scale voice phishing (vishing) and adversary-in-the-middle techniques to bypass MFA and compromise SSO access. The group targets Microsoft 365 and Okta, leveraging Python and PowerShell scripts to automate exfiltration and repurpose valid session cookies to "stream" files. GTIG highlights detection indicators such as python-requests User-Agent mismatches, nonstandard IP infrastructure, and subdomain-based credential-harvesting sites to aid defenders.

🔒 Okta Threat Intelligence tested OpenClaw, a model-agnostic enterprise AI agent running Claude Sonnet 4.6, and found it could be manipulated to disclose sensitive credentials. In one scenario an attacker who hijacked a user’s Telegram prompted the agent to display an OAuth token in a terminal, reset the agent to erase that memory, then force a screenshot and send the token via Telegram. Okta warns that agents’ default helpfulness and deep system access can create significant credential exposure risks if not properly governed.

🔧 AWS updated the Transfer Family Terraform module to include end-to-end examples demonstrating integration with Okta and Microsoft Entra ID as custom identity providers. Built on the open-source Custom IdP solution and example repositories, the module automates deployment of Transfer Family endpoints while leveraging existing identity infrastructure. Included security controls—MFA, audit logging, and per-user IP allowlisting—help organizations meet operational and compliance requirements; consult the Terraform Registry and the Transfer Family Custom IdP user guide for implementation details and regional availability.

🔒 ShinyHunters stole personal data for about 5.5 million ADT customers and posted an 11GB archive on a dark web leak site after a failed extortion. ADT says it detected the intrusion on April 20 and that accessed information was largely limited to names, phone numbers, and addresses, with a small number of records including DOBs and last-four SSNs/Tax IDs. The group claims the attack began with a vishing compromise of an employee's Okta SSO account that enabled theft from the company's Salesforce instance; ADT reports no payment data or customer security systems were affected.

🔒 ADT confirmed unauthorized access to customer and prospective customer data detected on April 20, saying it terminated the intrusion and opened an investigation. The company reported that stolen information was limited to names, phone numbers, and addresses, with a small subset including dates of birth and the last four digits of SSNs or Tax IDs. ADT emphasized no payment data or customer security systems were affected. ShinyHunters claims over 10 million records were taken after a vishing attack that allegedly compromised an employee’s Okta SSO and accessed Salesforce data.

🔒 Google Threat Intelligence Group warns that UNC6783, a financially motivated cluster possibly tied to the 'Raccoon' persona, is targeting business process outsourcers (BPOs) and large enterprises via live chat social engineering. The campaign directs employees to spoofed Okta login pages hosted on Zendesk-like domains such as [.]zendesk-support[.]com and uses a phishing kit that steals clipboard contents to bypass MFA and enroll attacker devices for persistence. GTIG also observed fake security updates delivering remote access malware and the use of Proton Mail to deliver ransom notes. Organizations should deploy phishing-resistant MFA like FIDO2 keys, monitor live chat, block unauthorized domains and audit new MFA enrollments.

🔐 Google warns that UNC6783 is compromising business process outsourcing (BPO) providers to steal corporate support tickets and other sensitive data for extortion. Attackers use social engineering, live-chat phishing, and spoofed Zendesk-style domains plus fake Okta login pages; observed phishing kits can exfiltrate clipboard contents to bypass MFA and register devices. The group also distributes fake security updates to deliver remote access malware and then contacts victims via ProtonMail; Google recommends deploying FIDO2 keys, monitoring live chat, blocking spoofed domains, and auditing MFA enrollments.

🔒 Hims & Hers says support tickets were exfiltrated from its Zendesk instance after threat actors accessed a third-party customer service platform via a compromised Okta SSO account. The company reports the activity occurred Feb 4–7, 2026, was first noticed on Feb 5, and that an internal investigation concluded on March 3 that certain tickets were accessed or acquired without authorization. Potentially exposed information includes names, contact details, and other request-related data; the company states no medical records or doctor communications were affected and is offering 12 months of credit monitoring to impacted individuals.

🔒 Chrome Enterprise outlines five enhancements aimed at reinforcing browser security for organizations, addressing modern risks from session theft to malware-driven credential theft. Highlights include Device Bound Session Credentials to prevent session hijacking, cache encryption to protect data at rest, and App-bound encryption to block unauthorized apps from reading browser-stored secrets. Administrators also get tighter download controls and deeper integrations with partners such as Citrix and Okta to improve access decisions and incident response.

🔒 Crunchyroll is investigating claims that attackers stole personal data for roughly 6.8 million users after compromising a support agent's Okta SSO credentials. The actor says they accessed multiple applications — including Zendesk, Slack and Google Workspace — and downloaded about 8 million support tickets containing names, emails, IPs, locations and ticket contents. Intrusive payment details were reportedly present only when customers shared them in tickets. The attacker demanded $5 million in extortion but, according to the actor, received no response.

🔒 Researchers have dismantled the ShieldGuard crypto scam after Okta Threat Intelligence flagged the malicious browser extension in an advisory on March 17. Marketed as a wallet security tool with social promotion and token "airdrop" incentives, the extension instead harvested wallet addresses, scraped full HTML content after logins and tracked users across sessions. It used obfuscation and a custom JavaScript interpreter to evade Chrome protections and supported remote command-and-control execution. Partners removed the extension from the Chrome Web Store, disabled backend infrastructure, took down domains and blocked sign-in functionality; users are advised to limit plugins, verify sources and treat free-token offers with caution.

📧 Customers of upscale retailer Nordstrom received fraudulent emails sent from a legitimate nordstrom@eml.nordstrom.com address that promoted a cryptocurrency doubling scheme disguised as a St Patrick's Day promotion. The messages used official-looking images and branding and pressured recipients with a two-hour deadline. A source told BleepingComputer the incident likely involved an Okta SSO compromise leading to abuse of Salesforce Experience Cloud. Nordstrom warned the messages were unauthorized and advised customers not to send funds.

🔐 Organizations often assume multi-factor authentication (MFA) eliminates credential risk, but in many Windows environments that assumption is incomplete. Cloud IdPs like Microsoft Entra ID, Okta, and Google Workspace protect federated sign‑ins, yet traditional Windows authentication paths — including interactive logons, RDP, NTLM, Kerberos ticket abuse, SMB, local admin and service accounts — commonly bypass those controls. The result: attackers can use stolen passwords, NTLM hashes, stolen or forged Kerberos tickets, or reused local credentials to move laterally and maintain persistent access without triggering cloud MFA. Vendor solutions such as Specops Secure Access and Specops Password Policy are presented as practical mitigations to enforce MFA for Windows logon, block compromised passwords, and reduce legacy protocol exposure.

🔐 CIAM platforms manage authentication, authorization, consent, and customer identity for public-facing applications. Analysts highlight six leading solutions — IBM Security Verify, LoginRadius, Microsoft Entra, Okta/Auth0, OneLogin, and Ping Identity — each balancing usability, extensibility, and security differently. Offerings range from turnkey, no-code deployments to developer-led, API-first systems and vary in native fraud analytics, FIDO2 support, consent-management capabilities, and integrations with BI/CRM ecosystems. Organizations should weigh marketing data needs, privacy compliance, and fraud protection when choosing a CIAM.

🔐 Identity providers like Okta are central to modern SaaS security, and subtle configuration gaps can create serious exposure. This article highlights six fundamental settings—password policies, phishing‑resistant MFA, ThreatInsight, admin session ASN binding, session lifetimes, and behavior rules—that reduce the risk of account takeovers and session hijacking. Complementing these controls with continuous monitoring from Nudge Security helps detect drift and remediate misconfigurations before they’re exploited.

🔔Okta Threat Intelligence has warned that cybercriminals are combining vishing calls with adaptable phishing sites to social-engineer victims and bypass multi-factor authentication (MFA). Attackers perform reconnaissance, spoof internal IT support numbers during calls and direct users to customized phishing pages that update in real time. Stolen credentials are relayed to attackers who then generate fake MFA prompts to obtain approvals and gain account access.

📞 ShinyHunters says it is behind a wave of voice-phishing campaigns that compromise single sign-on accounts at Okta, Microsoft Entra, and Google, enabling access to downstream SaaS platforms. Attackers call employees posing as IT, steer victims through dynamic phishing pages and capture multi-factor authentication in real time, then enumerate connected applications to harvest data. The group claims Salesforce as a primary target and has issued extortion demands using stolen information.

🔔 Okta warns of bespoke vishing phishing kits sold as a service that enable live adversary-in-the-middle attacks to steal Okta SSO credentials. These kits include a C2 panel that lets callers control the victim's authentication flow in real time and synchronize fraudulent MFA dialogs to bypass push-based protections. Okta urges adoption of phishing-resistant MFA such as Okta FastPass, FIDO2 security keys, or passkeys and recommends user education and vendor notifications.

🔒 This article describes a pre-built Tines workflow that automates Just-In-Time (JIT) access to applications by orchestrating Okta, Jira, and Slack (or Teams) for request intake, approval, provisioning, and revocation. Users submit a self-service request via a customizable Tines Page; approvers receive interactive notifications and can approve instantly. On approval the workflow adds the user to the correct Okta group, logs actions in Jira for auditability, and enforces a timed revocation. The outcome is faster access for users, enforced least privilege, and a clear, auditable trail without manual click-ops.

🔐 CrowdStrike will acquire identity security startup SGNL for $740 million to add real-time, risk-aware authorization that grants or revokes access based on current signals rather than static permissions. The deal, expected to close in CrowdStrike’s fiscal Q1 ending April 30, will be paid mostly in cash with some stock subject to vesting. SGNL’s technology layers with existing identity systems from Okta, Microsoft, and AWS, evaluating contextual signals — user behavior, device posture, and threat intelligence — to enforce continuous authorization and address rising machine-identity and AI-agent risks.