In a credential-stuffing attack, adversaries try to log into online services using extensive lists of usernames and passwords, which they may have acquired from past data breaches, unrelated sources, phishing schemes, or malware campaigns, according to the company.

“Organizations are highly encouraged to strongly harden IAM against multiple tactics of abuse, especially credential stuffing, to ensure multiple layers of proactive controls to lower risk against attack from multiple threat actors eager to intrude and exploit,” said Ken Dunham, cyber threat director at Qualys Threat Research Unit. “Don’t let threat actors be your IAM auditor, move beyond complex password basics to harden your authentication of users and accounts to ensure you’re not the next breach victim in the news.”

A few of the high-profile data breaches this month include breaches that affected a Europol website, Dell Technologies, and a Zscaler “test environment.” However, the attempting credentials, as used by the threat actors, used on a vulnerable Okta feature could have come from a much older data breach.

Use password rotation, or go password-less

Okta is advising customers to go passwordless to protect against credential-stuffing attacks. “Enroll users in passwordless, phishing-resistant authentication,” the company said. “We recommend the use of passkeys as the most secure option. Passkeys are included on all Auth0 plans from our free plan through Enterprise.”

Additionally, rotating passwords regularly, avoiding weaker passwords and those listed in the common password list, and using a password with a minimum of 12 characters and no parts of the username, can be helpful too.

As short-term fixes to these attacks, Okta has recommended disabling the vulnerable endpoint within the Auth0 Management Console in case the tenant isn’t using cross-origin authentication. Restricting permitted origins is also advised if using cross-origin authentication is required.