In a new security advisory, Okta has revealed that your system had a vulnerability which allowed people to log into an account without having to provide the correct password. Okta bypassed password authentication if the account had a username of 52 characters or more. Additionally, their system had to detect a “stored cache key” from a previous successful authentication, meaning the account owner had to have a previous login history using that browser. It also did not affect organizations that require multi-factor authentication, according to the x.com/kmcquade3/status/1852475962715246869″ rel=”nofollow noopener” target=”_blank” data-ylk=”slk:notice the company sent to its users;cpos:3;pos:1;elm:context_link;itc:0;sec:content-canvas” class=”link “>notice that the company sent to its users.
Still, a 52-character username is easier to guess than a random password; It could be as simple as a person's email address that has their full name along with the domain of their organization's website. The company admitted that the vulnerability was introduced as part of a standard update that came out on July 23, 2024, and that it only discovered (and fixed) the issue on October 30. It now recommends that customers who meet all the conditions of the vulnerability check their access log over the past few months.
Okta provides software that makes it easy for businesses to add authentication services to their application. For organizations with multiple applications, give users access to a unified single sign-on so they don't have to verify their identities for each application. The company did not say if it is aware of anyone who has been affected by this specific issue, but has promised to “communicate more quickly with customers” in the past after the Lapsus$ threat group accessed a couple of users' accounts.
