On October 20, 2023, Okta Security identified adversarial activity that used a stolen credential to gain access to the company’s support case management system. Once inside the system, the hacker gained access to files uploaded by Okta customers using valid session tokens from recent support cases. As a result of using the extracted tokens from the Okta support system and support cases, the threat actor subsequently gained complete access to many of their customers’ systems. In reaction to the attack, Okta support asked customers to upload an HTTP Archive (HAR) file to help troubleshoot issues. HAR files often contain sensitive data that malicious actors can use to imitate valid users.