The HAR file was created on the team member’s macOS laptop and uploaded via hotel
provided WiFi, as this event occurred at the end of a company event. Based on an analysis of
how the file was created and uploaded, Okta’s use of TLS and HSTS, and the prior use of the
same browser to access Okta, it is believed that there was no window in which this data could
have been exposed to the WiFi network, or otherwise subject to interception.
The IT team member’s macOS laptop that was used is currently offline, and was scanned with
the free version of Malwarebytes, which reported no findings. At this point, malware or some
other compromise of this device is the leading theory for how this session data was exposed;
though this is complicated by the fact that no other unusual activity tied to this team member’s
accounts have been identified.
Addendum
Oct 21, 2023: Okta confirmed publicly that their internal support systems were compromised.
This answers how the HAR file was accessed by the attacker and that the initial compromise
was not through the employee’s laptop