"Credentials For Okta's One-Time MFA Exposed During Twilio Breach"

Customers of Okta, an Identity and Access Management (IAM) company, log in using One-Time Passwords (OTPs) sent via SMS. Okta's clients can use temporary codes sent via SMS via Twilio as one of several methods of service authentication. The threat actor behind the Twilio attack took advantage of this method to obtain OTPs. If the threat actor had access to the Twilio interface, they could see Okta customers' mobile phone numbers and OTPs. The cloud communications provider Twilio found on August 4 that unauthorized access had been made to its networks and client data. Twilio was one of the services Okta used at the time when customers chose SMS as an authentication method. On August 8, Okta began to direct SMS-based communication through a new provider after learning that unspecified data relevant to Okta had been exposed by the Twilio breach. Okta was able to determine the threat actor's exposure to phone numbers and OTP codes relating to its customers by using internal system logs from Twilio's security team. An OTP code, according to the company, expires after five minutes. When it comes to the threat actor's behavior in the Twilio interface involving its clients, Okta differentiates between "targeted" and "incidental disclosure" of phone numbers. According to the company, the attacker looked up 38 phone numbers, most of which were associated with a single company, indicating a desire to breach that client's network. The threat actor searched for the 38 Okta-related phone numbers using the Twilio administrative portals, which displayed the 50 most recent messages sent using Okta's Twilio account. This means that hackers may be able to see more phone numbers. Okta's investigation revealed that the hacker did not use these phone numbers. This article continues to discuss the exposure of Okta's one-time MFA passwords during the Twilio breach.

CyberIntelMag reports "Credentials For Okta's One-Time MFA Exposed During Twilio Breach"