What is the real scope of the Okta data breach?

  • Okta initially said that there was no unauthorized access to the Okta service or customer data.
  • But now, the company stated that all Okta customer support system users are affected. 
  • Exposed data could lead to more social engineering and phishing attacks. 

The recent Okta data breach may have actually had a greater impact than what was initially reported. Okta initially stated that hackers gained access to its customer support system and stole cookies and session tokens that could be used to compromise Okta customer accounts.

The breach supposedly affected around 1% of Okta’s 18,400 customers, including some prominent companies like 1Password, BeyondTrust and Cloudflare. These companies detected and blocked the intrusions before any of their own customers were affected, and notified Okta about the suspicious activity.

Okta initially said that there was no unauthorized access to the Okta service or customer data and that it has taken steps to secure its repositories and notify law enforcement. However, some security experts have criticized Okta for its delayed disclosure and repeated incidents, as this is not the first time Okta has suffered a breach due to social engineering or credential theft.

In 2022, Okta was breached by hackers who compromised a subprocessor that Okta had trusted to do customer support work. In August 2023, Okta was also targeted by a ransomware group that breached more than 100 organizations, including Twilio and New Relic.

As Okta is a leading identity and authentication platform that provides critical digital infrastructure for its customers, including top cloud providers, hyperscalers and technology companies, a breach of Okta could potentially expose sensitive data and credentials for multiple accounts belonging to some of the biggest companies across the globe. Okta claims that it does not rely on the confidentiality of its source code for the security of its services and that the Okta service remains fully operational and secure.

Previously, Okta reported a breach in October that resulted in approx. 1% of customer support users having their data stolen.

Previously, Okta reported a breach in October that resulted in approx. 1% of customer support users having their data stolen.

What really happened?

As things seemed to normalize, Okta continued its review of the breach. However, the recent findings from the review painted an even scarier scenario. According to a blog post by David Bradbury, the chief security officer at Okta, the threat actor was actually able to run and download a report that contained the names and email addresses of all Okta customer support system users.

“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system not accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident,” said Bradbury.

Bradbury was quick to point out that the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. In fact, he said that for 99.6% of users in the report, the only contact information recorded is full name and email address.

“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks. Okta customers sign in to Okta’s customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system but also to secure access to their Okta admin console(s),” added Bradbury.

Bradbury also acknowledged that there could now be a bigger risk for customers, since the names and email addresses were downloaded. Specifically, cybercriminals could use the data to launch phishing and social engineering attacks on the users affected. As such, Okta recommends its customers employ MFA for their administrators and consider using phishing-resistant authenticators to further enhance their security.

Okta is a leading identity and authentication platform that provides the critical digital infrastructure for its customers.

Okta is a leading identity and authentication platform that provides the critical digital infrastructure for its customers.

A costly data breach but valuable lesson for Okta

In the report, Bradbury also said that Okta identified additional reports and support cases that the threat actor accessed, which contain the contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data.

“We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion,” the statement said.

This update on the impact of the Okta data breach may have changed the entire situation. A jump from 1% to the entire customer portfolio is not a small change in the report. The concern now is what might happen if the investigations unveil that even more files and data were actually compromised from the breach.

As Okta looks to mitigate the situation and bring some calm to its customers, the reality is that all Okta customers should now look to boost their security. Okta has suggested MFA, but businesses can also look to add a few more layers of additional security, including allowing privileged access to its administrators.

Bloomberg reported that Okta has sent a notice to customers, warning them that they may face an increased risk of phishing and social engineering attacks. The company also said it had pushed new security features and recommendations to defend against targeted attacks.

While this would be a last resort, it wouldn’t be surprising to see some companies moving away from Okta to other providers, given the latest updates from the company.

Whatever happens, one thing is for certain – the cybercriminals are clearly the winners of this breach, as they not only managed to trick Okta into believing that only a small amount of data was compromised, but also made the company look incompetent in terms of addressing the issue to its customers in the first place.

The Okta data breach could end up being a much costlier and more impactful incident in the long run, especially since it is not the first time the company has been targeted.