Okta Warns Once Again of Credential-Stuffing Attacks

This time its the identity management service providers cross-origin authentication feature thats being targeted by adversaries.

For the second time in just more than a month, identity management service provider
Okta
is warning of
credential-stuffing attacks
, this time against the cross-origin authentication feature of its Customer Identity Cloud (CIC) authentication offering.
The suspicious activity started on April 15, when Okta observed that the endpoints used to support CICs cross-origin authentication feature first being attacked for a number of our customers, according to
a warning
posted on the companys website earlier this week.
Credential-stuffing attacks occur when adversaries attempt to sign in to online services using large lists of usernames and passwords, likely obtained from previous data breaches, phishing, or malware campaigns.
Late last month, Okta
also warned
of a rash of similar attacks against its service around the same time frame; those attacks were made largely through an anonymizing device such as Tor or routed through various residential proxies such as NSOCKS and Datalmpulse.
Okta has proactively informed customers with the cross-origin authentication feature enabled of the attacks and provided detailed guidance for mitigation and prevention.
The cross-origin authentication is part of Oktas Cross-Origin Resource Sharing (CORS) feature, which allows a webpage to make an Ajax call using XML requests, so customers can enable JavaScript running on a browser client to interact with resources from a different origin.
Such cross-domain requests would otherwise be forbidden by Web browsers as indicated by the same origin security policy, according to an
Okta developer resource page
. CORS defines a standardized way in which the browser and the server can interact to determine whether to allow the cross-origin request.
Okta customers using CORS should review the following events in their tenant logs to determine if they were targeted: FCOA, or failed cross-origin authentication; SCOA, or successful cross-origin authentication; and pwd_leak, or someone attempting to log in with a leaked password.
Even if a customers tenant does not use cross-origin authentication but SCOA or FCOA events are present in the event logs, its still likely that the tenant has been targeted, according to Okta.
Further, if a tenant using cross-origin authentication either saw a spike of SCOA events in April or an increase in the ratio of failure-to-success events — that is, FCOA/SCOA — then it also is likely the tenant was targeted.
Customers at risk of the attacks also can restrict permitted origins and enable breached password detection for affected tenants.
Given that credential-stuffing attacks are becoming a recurring issue for Okta customers — among myriad other organizations —the company also provided guidance for long-term defense to prevent them from occurring. Indeed, high-profile customers such as
23andMe
,
Roku
, and
Hot Topic
apparel brand have all been victims of these types of attacks.
To prevent them, organizations should enroll users in passwordless, phishing-resistant authentication, according to Okta, which also suggested that
passkeys
are the most secure option.
If an organization continues to use passwords, administrators should prevent users from choosing weak passwords, requiring them to choose a minimum of 12 characters and |no parts of the user name, according to Okta. Multifactor authentication (MFA) also can help prevent credential-stuffing attacks from being successful; in fact, Roku mandated this defense after its high-profile attack.
Further, Okta tenants not using cross-origin authentication can disable endpoints to eliminate the attack vector entirely, Okta said. And obviously, the company noted, any passwords compromised in a credential-stuffing attack should be changed immediately.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Okta Warns Once Again of Credential-Stuffing Attacks