A major identity provider recently experienced a security breach where threat actor gained unauthorised access to files within a support system, affecting 134 customers. The compromised files included HAR files containing session tokens. These tokens were used by the attacker to hijack legitimate sessions of 5 customers.

The breach was facilitated through a service account that had permissions to view and update customer support cases. An employee of the identity service, using a personal Google profile on a Chrome browser on an work laptop, inadvertently saved the service account credentials in their personal Google account. The likely cause of credential exposure was the compromise of the employee’s personal Google account or device.

To prevent similar incidents, IT departments should make sure they’re implementing the following:

1. Use of Chrome policies: For organisations using Google Chrome, leverage Chrome Enterprise’s configuration options to enforce policies such as BrowserSignin controls or disable automatic password saving (especially if you already provide users with a password manager).
2. Restrict Personal Account Usage: Implement policies to prevent the use of personal accounts on organisational devices. This can include disabling the ability to save login credentials from personal accounts into browsers on managed devices.
3. Enhanced Monitoring and Logging: Regularly review and update monitoring systems to capture a wide range of activities, including file access and downloads. Anomalies in log patterns should be investigated promptly.
4. Regular Security Audits: Conduct periodic audits of systems and accounts to ensure that only authorised users have access and that their privileges are appropriate to their roles.
5. Employee Training: Educate employees about the risks of using personal accounts on work devices and the importance of maintaining strong, separate credentials for work and personal use.