0ktapus Phishing Campaign Hits 130 Companies, Compromising Nearly 10,000 Accounts
A widespread phishing attack targets employees of Twilio and Cloudflare, exploiting Okta's authentication system.

Key points
- 0ktapus hackers breached 9,931 accounts across 130 companies, August 2023.
- Attackers targeted Okta's multi-factor authentication system to steal credentials.
- Affected companies include Twilio, Cloudflare, and DoorDash.
- Over 5,400 multi-factor authentication codes were compromised.
- Attackers aimed to facilitate further attacks by accessing company systems.
A massive phishing campaign named '0ktapus' has compromised accounts at over 130 organizations by targeting employees of companies like Twilio and Cloudflare. The attackers focused on exploiting Okta, a firm that provides identity and access management services, to steal login details and multi-factor authentication (MFA) codes. This campaign has led to the breach of 9,931 accounts, according to a report by cybersecurity firm Group-IB, first reported by Threatpost.
The attackers sent phishing text messages to employees, directing them to fake websites that mimicked their company's Okta login pages. Once there, employees were tricked into entering their Okta credentials and MFA codes—codes that are normally used to add an extra layer of security to logins.
The campaign has mostly affected U.S.-based companies, with 114 firms targeted. However, its reach extends to 68 other countries. Roberto Martinez, a senior analyst at Group-IB, noted that the full scale of the 0ktapus campaign may not be known for some time.
How did the hackers get in?
The 0ktapus hackers likely began by targeting telecommunications companies to obtain lists of phone numbers. Using these numbers, they sent phishing links to employees at various companies. These links led to web pages designed to look like the legitimate Okta authentication pages used by the employees' organizations.
Once the hackers obtained the login credentials, they could access company mailing lists and customer systems. This access was likely intended to facilitate supply-chain attacks, where hackers compromise one company to attack its partners or customers.
The effectiveness of the campaign has raised questions about the security of MFA systems. Group-IB reported that 5,441 MFA codes were compromised during the attack. Security expert Roger Grimes commented that while MFA is generally considered secure, it can still be vulnerable to such phishing attacks.
In a related incident, delivery service DoorDash announced that hackers used stolen vendor credentials to access internal tools, leading to the theft of customer data like names, phone numbers, and delivery addresses.
To mitigate risks from similar attacks, Group-IB recommends using FIDO2-compliant security keys for MFA and educating users on recognizing phishing attempts.



