Okta data breach dilemma dwarfs earlier estimates

All customer support users told their info was accessed after analysis oversight

Okta has admitted that the number of customers affected by its October customer support system data breach is far greater than previously thought.

Chief security officer David Bradbury originally said earlier this month that according to the company's root cause analysis, the files of just 134 Okta customers – less than 1 percent of the total – were accessed by attackers.

An update published this morning instead revealed that data related to every single Okta customer support system user was accessed.

For 99.6 percent of customers, the only data accessed was the full name and email address, due to many of the data fields the attackers scanned for being blank on Okta's records. The data types included in the reports run by the attackers are below. User credentials and sensitive personal data were not included.

Created Date Last Login Full Name Username Email
Company Name User Type Address Date of Last Password Change or Reset Role: Name
Role: Description Phone Mobile Time Zone SAML Federation ID

"While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks," said Bradbury. 

"Okta customers sign in to Okta's customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).

"Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users. While 94 percent of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing-resistant authenticators to further enhance their security."

As for how the blunder materialized, Okta said it ran additional analyses of its earlier findings, involving the manual recreation of the reports generated by the attacker, and found a file much larger than the one generated in its original investigation.

The larger file was attributed to the attacker running an unfiltered view of the report and when Okta did the same, it generated a file much closer in size to the attacker's.

In the process of figuring out how the mistake came to be, it also identified additional reports accessed by the attackers, including employee information and the contact details of all Okta certified users and some Okta Customer Identity Cloud (CIC) customers.

"We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion," Bradbury said.

The incident has attracted broad scrutiny from infosec watchers, with some questioning whether this miscalculation and associated communications have done more damage than the incident itself.

It's been a torrid few months for Okta, marred by numerous security snafus. At the end of August, it disclosed a case involving attackers attributed to the Scattered Spider group – thought to be an AlphV/BlackCat ransomware affiliate – phishing Okta customers en masse to gain super admin access to Okta tenants.

At least four customers were known to be affected at the time and it was later revealed that two of these included MGM Resorts and Caesars Entertainment, which together were forced to pay in excess of $115 million to clean up the mess. 

Caesars reportedly paid a $15 million ransom while MGM took a $100 million hit to restore itself without bulking out the attackers' wallets.

Then in October, Okta's customer support system breach was announced, an incident in which attackers made off with HAR files to replicate genuine customer sessions.

1Password said it was a victim of the breach days later, but spotted it before any nastiness could take place. Attackers were reportedly still in their reconnaissance phase when they got booted out.

On November 2, the data of just shy of 5,000 current and former Okta employees was exposed to attackers, although this attack was carried out on a third-party provider, Rightway Healthcare, so there's not much Okta could have done to intervene.

Regardless, it has been a less-than-ideal period for the identity vendor that just last year had to contend with being breached by a band of teenagers, as well as an earlier encounter with Scattered Spider. The group was also blamed for the 2022 "Oktapus" phishing campaign that claimed a handful of high-profile scalps like Twilio and Cloudflare.

Okta is due to release its quarterly earnings later today, a little more than a month after the October breach caused its stock price to plummet. ®

More about


Send us news

Other stories you might like