Cloudflare specialists conducted an investigation into the Okta hack in January 2022 and concluded that Cloudflare’s computer systems were not compromised.
In January 2022, hackers gained access to the account of an Okta support employee and could perform actions on his behalf. Cloudflare learned about the incident from the SIRT Cloudflare team of specialists. Immediately after the incident was reported, the company temporarily disabled access for a Cloudflare employee whose email address appeared in the hackers’ screenshots.
Cloudflare also checked every employee who has reset their account password or changed their multi-factor authentication (MFA) settings since December 1 last year. Since December 1, 2021, 144 Cloudflare employees have reset their password or changed their MFA settings. The company made them all reset their password.
Cloudflare uses Okta as an identity provider integrated with Cloudflare Access. This allows you to guarantee users safe access to internal resources. If Okta is compromised, it would not be enough to simply change the user’s password. The attacker will also need to change the hardware token (FIDO) configured for the same user. In this regard, it would not be difficult to detect compromised accounts based on the corresponding hardware keys.
Despite the fact that the logs are available in the Okta console, Cloudflare also stores them in its own systems. This adds an additional layer of security and ensures that compromising the Okta platform will not change the collected data.
Okta is not used to authenticate customers in Cloudflare, and the company does not store customer data in Okta. It is used only for managing employee accounts.