• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

Hackers Stole Access Tokens from Okta’s Support Unit

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
9,082
Reaction score
7,341
Credits
61,505


Now that's rough.

We're taught that 2FA/MFA is the way to go. We're taught that it is secure. In fact, I use 2FA on my sites and I use 2FA on sites where I consider my login to be valuable information. (I use 2FA here on Linux.org, for example.)

But, not only do you need to keep that secure, you need to keep your recovery keys secure. Anyone with the password and recovery keys can log in without actually having that second factor.

This is going to be true even if we had card readers, encrypted USB drives, etc... Those can be cloned.

In my case, I keep everything securely locked up to the best of my ability. While I don't collect much personal data, people do leave usernames and email addresses in my trust. So, keeping that safe is a priority.

That a giant company like this is having trouble doing so just shows us that there's always a 'weakest point'.

Also, maybe stop outsourcing so much...
 


Top