Major authentication provider Auth0 says code repositories were copied

Mystery around the data breach, but we can speculate...

Major authentication provider Auth0 says code repositories were copied

Authentication provider Auth0 says a third-party had access to copies of source code repositories, forcing it to call in law enforcement and outside cyber forensics experts after access to the critical material was reported.

Auth0 is owned by Okta. The company was notified of the breach in August 2022 and took pains to say that affected Auth0 code repos are from October 2020 and earlier, “which pre-dates the Auth0 acquisition by Okta.”

The company said it launched an internal and external investigation to assess what it called a “security event”.

“We have taken precautionary steps to ensure that this code cannot be used to access company or customer environments… The Auth0 service remains fully operational and secure” it said in a short statement this week.

“Both investigations, recently concluded, confirmed that there was no evidence of unauthorized access to our environments, or those of our customers, nor any evidence of any data exfiltration or persistent access.”

Auth0 is used to authenticate over 42 million logins each day by more than 2,000 enterprise customers.

These include bluechips like AMD, Pfizer, Mazda and Siemens, among many others.

Autho did not explain how the data was accessed.

Reading between the lines of what is clearly a heavily “legalled” statement from the security provider and given the emphasis that there had been no “unauthorized” access”, The Stack can speculate (and this is pure speculation) that rather than a malicious attack, instead a former staffer or contractor belatedly noticed that they still had permission to access legacy source code repositories or a local copy, did the right thing and reported it to the company – which, attentive to the need to report any issues in the wake of a damaging delay in reporting comprehensively on a breach earlier this year at parent company Okta, promptly made it public.

“Our investigation has not revealed any customer impact from this event, and no action is required by our customers. Additionally, we confirm that the Auth0 service remains fully operational and secure” it added.

Auth: Also doing some very good stuff...

Whilst the Auth0 code repository security event is troubling customers will welcome the early transparency and at The Stack we are mindful that a) "there but for the grace of god..." and that b) transparency about security issues sometimes overshadows often pioneering work that organisations are doing with little attention.

An example of the latter we would flag at Auth0 is its release this summer of OpenFGA, the open-source engine that powers Auth0 FGA (fine grained authorisation). OpenFGA is inspired by Google's influential Zanzibar paper.

OpenFGA is designed to make it easy for developers to model their application permissions and add and integrate fine-grained authorization into their applications. It allows in-memory data storage for quick development, as well as pluggable database modules - with initial support for PostgreSQL. It offers an HTTP API and a gRPC API. It has SDKs for Node.js/JavaScript, GoLang and .NET. (More details on SDKs and tools in its Community section.)

As product manager Andrés Aguiar put it in June: "We believe there’s an opportunity to create a large ecosystem around a fine-grained authorization system, and that making our FGA offering open source will maximize the chances for this to happen. We expect OpenFGA integrations for authorization policies products like OPA, proxies like Envoy, API gateways like Kong; identity providers (Auth0, Okta, AzureAD), SDKs for platforms and frameworks (Python, Java, Spring, Next.js), etc.We want to enable customers that require deploying in different cloud providers, on-premise, in multiple regions, with FedRAMP compliance, or those that have a low tolerance to the risk of delegating authorization to a third party provider... we know those are difficult problems for a SaaS product."

Check out OpenFGA here. It's properly open source: Apache 2.0 licensed.

Follow The Stack on LinkedIn