Last week, my wife got a call from the IT and security team at her workplace to ask whether she had experienced a few failed logins last month. Apparently, they noticed some strange behavior and wanted to know whether it was her or not.

And today I found why.

Okta has published an article warning that endpoints used to support its cross-origin authentication feature have been attacked with credential stuffing attempts. The attacks have reportedly affected a number of different customers.

Okta, as an authentication services and identity management vendor, allows organizations to provide “single sign-on” authentication across numerous different systems. That makes it a very attractive target for cybercriminals.

Okta specifically notified customers using their cross-origin authentication feature in Customer Identity Cloud (CIC) because that is where it noticed attackers were performing credential stuffing attacks.

Cross-Origin Resource Sharing (CORS) is a feature that allows a web page to make a web request to a different domain. Such cross-domain requests would otherwise be forbidden by web browsers’ same origin security policy. CORS defines a standardized way in which the browser and the server can interact to determine whether to allow a cross-origin request. For this feature to work, customers must grant access to the URLs from which cross-origin requests can originate. And this is the feature Okta noticed as under attack.

Mitigation

According to Okta, any tenant that does not use cross-origin authentication can disable the affected endpoint in the Auth0 Management Console, eliminating this attack vector. Okta customers should refer to its Configure Cross-Origin Resource Sharing documentation for more information. If cross-origin authentication is required, users can restrict the permitted origins.

Credential stuffing preys on the fact that many uses re-use the same passwords on different sites. Take this example: A user of Site A uses the same email and password to access Site B. If Site A is compromised and the user’s login details are exposed, their account on Site B is also vulnerable. Password reuse is so common that criminals with access to the credentials from Site A will try them on a whole host of other websites. If Site B is one of them, they will gain access to the user’s account there too.

If the user had created different passwords for Site A and Site B, the attack would not have worked. This is why security professionals are always telling people not to not reuse their passwords. If all your logins are hard to remember (and they should be), you can use a password manager to help you.

However, there are even better ways to stop credential stuffing. Multi-factor authentication (MFA), which asks for an additional proof of your identity, can almost eliminate credential stuffing. In 2019, Microsoft’s Alex Weinert wrote that “based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.” An even more modern and effective alternative are passkeys, which replace passwords entirely offer protection against a wide variety of password attacks, including phishing.