Okta, a prominent player in the U.S. access and identity management sector, recently disclosed a significant security breach that compromised the data of all its customers. Contrary to initial reports in October, where the platform stated that only around 1% of its customers (about 134 organizations) were affected, the company now confirms that the breach had more extensive consequences.
Okta confirms the length of the breach
The breach unfolded when a hacker utilized a stolen credential to access the firm’s support case management system, pilfering customer-uploaded session tokens in the process. These tokens, if exploited, could potentially grant unauthorized access to the networks of its customers. In a recent blog post, the firm’s Chief Security Officer, David Bradbury, provided additional insights into the incident. Bradbury revealed that on September 28, the attacker ran and downloaded a report containing data related to “all Okta customer support system users.”
This report encompassed a wealth of information, although for the majority of customers (99.6%), the unauthorized access yielded only full names and email addresses. Nevertheless, in some cases, the exposed data extended to phone numbers, usernames, and details of specific employee roles. Despite the firm not possessing direct evidence of the compromised information being actively exploited, there is a legitimate concern that threat actors could leverage the acquired data for nefarious purposes, such as phishing or social engineering attacks.
Notably, the Scattered Spider hacking group, also known as Oktapus, has a history of using social engineering tactics to target the firm’s customers, including high-profile entities like Caesars Entertainment and MGM Resorts. In response to the breach, the company is taking proactive measures. The company is strongly urging all its customers to implement multi-factor authentication, a fundamental step in enhancing security, and is recommending the use of phishing-resistant authenticators, such as physical security keys.
Implications of the hack on the firm’s user base
Further analysis conducted by Okta revealed that the threat actor accessed additional reports and support cases containing the contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts. These reports also included certain Okta employee information, although the company has not disclosed the extent of the impact on its 6,000 employees. Crucially, Okta has assured that none of its government customers were affected by the breach, providing a measure of relief for entities in sensitive sectors.
Additionally, Okta’s Auth0 support case management system remained untouched during this incident. The identity of the threat actors responsible for this breach remains unknown, adding an element of mystery to an already concerning situation. This incident compounds a series of security challenges faced by Okta, including a breach last year where hackers managed to steal some of the company’s source code. Another incident happened earlier in the year involving hackers.
They posted screenshots that showcased access to Okta’s internal network after compromising a company used for customer service. As a precautionary measure, Okta customers are strongly advised to remain vigilant, implement the recommended security measures, and stay informed as the company addresses and mitigates the fallout from this extensive security breach. Heightened awareness and adherence to best practices will be crucial as the cybersecurity landscape continues to evolve.