Security technology provider Okta has issued an advisory warning users of active credential-stuffing attacks targeting its cross-origin authentication feature in the Customer Identity Cloud (CIC).
“We observed that the endpoints used to support the cross-origin authentication feature are being attacked via credential stuffing for a number of our customers,” Okta warned.
“For context, we observed that the endpoints used to support the cross-origin authentication feature being attacked via credential stuffing for a number of our customers,” the company said. “In this type of attack, adversaries attempt to sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches or unrelated entities, or from phishing or malware campaigns.”
Okta said it first detected suspicious activity on April 15th.
While not all users may be affected, Okta advised security teams to scrutinize their logs for specific events such as fcoa, scoa, and pwd_leak.
“If your tenant does not use cross-origin authentication but scoa or fcoa events are present in event logs, it is likely your tenant has been targeted in a credential-stuffing attack,” the company cautioned.
Okta provided additional steps for mitigating the attacks, advising customers to rotate compromised user credentials immediately as a precaution.