Back to Blog
Security Strategy

hCaptcha is not affected by the Okta compromise

March 23, 2022

Share
hCaptcha's review of the January 2022 Okta compromise. There was no impact to hCaptcha services.

On March 22, 2022 we were notified of a compromise of Okta that occurred in January 2022, in which an Okta support team account was compromised. This elevated access was apparently used to reset user accounts, and in combination with spear phishing attacks was used to target employees of other companies in order to compromise their networks.

Background

Okta is one of the larger identity platforms, used to secure authentication and access control by thousands of organizations around the world.

Compromising an identity platform means, in the worst case, that attackers can potentially access any resource secured by that platform at any of its downstream customer companies

Direct impact

We do not use Okta internally, and no hCaptcha production assets are secured with Okta. There was no direct impact to hCaptcha from the Okta compromise.

Indirect Impact

hCaptcha Enterprise is natively supported by Okta for SAML SSO via the Okta OIN. This means some hCaptcha Enterprise customers can log in to manage their services via Okta SSO.

Okta also has native integration of hCaptcha challenges. Okta customers can enable this feature within the Okta login flow, but this interaction path does not appear to be affected by the compromise.

Our job was thus to confirm that no hCaptcha Enterprise customer was affected by their Okta integration.

Verifying hCaptcha Enterprise customers were not affected

After re-confirming none of our systems or teams used Okta, we extended our analysis further by auditing whether any Okta-mediated hCaptcha Enterprise logins showed abnormal activity.

hCaptcha Enterprise customers have rich audit logs available to simplify customer compliance audits, including logins to their Enterprise accounts and all service changes across Enterprise Organizations.

We used this data to run ex post facto trend analysis and anomaly detection on Enterprise activity since January 2022 where Okta was part of the SSO flow.

After manual review of trends and anomalies, no suspicious activity was found on these Okta-mediated logins in the January 01 - March 22 2022 timeframe.

Ongoing monitoring

The hCaptcha SOC will continue elevated monitoring of anomalies on Okta-mediated login accounts, and will reach out to any Enterprise customers immediately upon detection if any suspicious behavior is found in the future.

hCaptcha will also continue to monitor Okta-related news for compromise updates to confirm no further action is required. If needed, we will provide alternate access methods for existing Okta SSO-enabled hCaptcha Enterprise customers in the event this Okta compromise is determined to be of wider scale and scope, or those customers decide to move to an alternate identity platform.

Subscribe to our newsletter

Stay up to date on the latest trends in cyber security. No spam, promise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Back to blog