Cloudflare Discloses ‘Limited’ Impact From Okta Breach

The company says no customer data was affected after an attacker accessed its Atlassian server using a stolen authentication token, stemming from the Okta compromise in October.

Cloudflare said Thursday that no customer data was affected after an attacker used an authentication token, stolen during last fall’s compromise of Okta’s support system, to access its Atlassian server in November.

The company disclosed the incident in a post that was signed by Cloudflare Co-founder and CEO Matthew Prince, CTO John Graham-Cumming and Chief Security Officer Grant Bourzikas.

“Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,” Cloudflare said in the post.

In October 2023, Cloudflare said it first notified Okta about a breach of the identity platform provider rather than the other way around. The breach impacted data and credentials belonging to some customers that had used Okta’s support case management system, including Cloudflare.

However, for Cloudflare, the threat actor behind the breach “only began targeting our systems using those credentials from the Okta compromise in mid-November,” the company said.

On Nov. 23, which was the Thanksgiving holiday in the U.S., the threat actor was detected on Cloudflare’s self-hosted Atlassian server, Cloudflare executives revealed in the post.

The company’s security team cut off access to the attacker and began investigating the incident with the help of a forensic team from CrowdStrike, according to Cloudflare. The investigation was completed Wednesday, and it shows that “no Cloudflare customer data or systems were impacted by this event,” the company said.

The threat actor did establish persistent access to Cloudflare’s Atlassian server as well as access to the company’s source code management system, the vendor acknowledged.

“They did this by using one access token and three service account credentials that had been taken, and that we failed to rotate, after the Okta compromise of October 2023,” Cloudflare’s executives said. “All threat actor access and connections were terminated on November 24 and CrowdStrike has confirmed that the last evidence of threat activity was on November 24 at 10:44 (UTC).”

Ultimately, “we were (for the second time) the victim of a compromise of Okta’s systems which resulted in a threat actor gaining access to a set of credentials,” Cloudflare executives said in the post, referencing a prior Okta breach from early 2022 that also impacted the company.

The credentials were “meant to all be rotated,” Cloudflare said. “Unfortunately, we failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise.”

Cloudflare attributed the November incident to a “nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network.”

In a statement responding to Cloudflare’s post, an Okta spokesperson pointed to the fact that “this is not a new incident or disclosure" for Okta.

On Oct. 19, “we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident. We can't comment on our customers' security remediations,” Okta said in the statement provided to CRN.

Last fall’s Okta breach also led to the theft of all support customer names and emails, the company disclosed previously. Okta responded with a number of commitments including a pledge to delay product and feature launches for 90 days in order to focus on its security.