San Francisco-based identity management company Okta announced on Tuesday that the data breach it suffered in October was significantly worse than originally reported.
In a blog post published on Wednesday, Okta chief security officer David Bradbury said hackers stole personal information related to every user in its customer support system, not just the 1% it had previously stated.
"We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident." - Okta wrote.
Breach Affects All Customer Support Users
The company also sent a letter to customers on Tuesday, Okta disclosed that threat actors obtained data on every client in the company's customer service database during the mid-October security incident. This includes names, email addresses, and details on some Okta employees.
This is a drastic difference from Okta's November 3rd statement, when it claimed only 184 out of its thousands of customers were impacted.
Increased Risk of Phishing & Social Engineering
While passwords were not included in the stolen information (according to the Okta blog post), Okta notified customers that the breach significantly escalated the risk of phishing and social engineering attacks.
Armed with names and email addresses, hackers can more easily trick victims into sharing sensitive data or clicking malicious links by posing as coworkers or other trusted contacts. The exposed information could also potentially be paired with login credentials from other data leaks to break into accounts through credential stuffing.
Okta urged administrators to be extra vigilant against suspicious messages and stated that it "provided customers with specific recommendations to defend against potential targeted attacks." Multi-factor authentication and strong password policies are critical to reducing vulnerability.
Forensic Investigation Underway
Okta is collaborating with a digital forensics firm to further analyze the data breach and promises to share the final incident report with impacted customers. The company also plans to alert any individuals whose personal records were downloaded by the attackers.
"We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion," said Okta spokesperson.
History of Recent Security Issues
This troubling news comes on the heels of another Okta security debacle earlier this year. In March 2022, the notorious hacking group LAPSUS$ leaked screenshots indicating it had obtained admin-level access to Okta's systems.
Several teenagers were later arrested in London in connection with the LAPSUS$ breach. At the time, CEO Todd McKinnon apologized for the incident and vowed to restore faith in Okta's security. This latest revelation severely undermines those efforts.
Key Takeaways
- Hackers obtained personal data on every Okta customer support user during the October breach
- Originally stated only 1% of support users were impacted
- Dramatically increases risks of phishing, social engineering, and credential stuffing attacks
- Okta investigating the breach with a digital forensics firm
- The latest event follows a high-profile LAPSUS$ hacking incident earlier this year
- Severely hurts Okta's reputation as an identity management provider
The expanding scale of the Okta breach demonstrates the company still has a long way to go in shoring up its security defenses. For a provider of identity and access management solutions, failures in safeguarding customer data are especially concerning.
Okta will need to be fully transparent about what went wrong and the steps it is taking to prevent such lapses in the future. In the meantime, all users impacted by the breach should take measures to protect themselves from potential phishing campaigns exploiting their exposed information.