Okta’s customer support system was infiltrated in September, and reported to the public in October. At the time, the company said that only about 1% of its customers had anything to worry about from the security breach. A new announcement has revised that number quite sharply; it’s now at nearly 100%.
To be fair, for many customers this will consist of only having a name and email address associated with the account exposed. However, it appears that more than initially reported had sensitive customer support uploads stolen by the invaders.
Expanded scope of Okta security breach includes stolen personal information
The security breach took place in late September, and according to the company was caused by a customer support employee storing personal Google login credentials in Chrome on a work device. Okta clients are already irate over the fact that there appeared to be no additional layered defenses to prevent someone with a username and password from making it so far into the environment, and that was before the breach count was revised upward.
The Okta website and public statements have at different times said that the company has over 17,000 and 18,000 clients total. About 17,000 are now impacted in some way by the security breach, so this can be assumed to be nearly all of its client list.
Okta’s advice to potentially impacted clients is to enable a phishing-resistant method of MFA for admin access, and change admin session settings to make it tougher for an unauthorized actor to connect from unfamiliar IP addresses and dwell for extended periods of time.
Customer support data theft exposes limited assortment of personal information
The main concern in the Okta security breach was the hacker’s access to HAR files stored in the customer support environment. These files are essentially a snapshot of a client’s online activity that Okta troubleshooters can use to trace the actions that led to a problem, and can (in some cases) contain session tokens or cookies that the attackers could leverage to get into client networks. Okta initially said only about 1% of its clients were impacted in this way.
The bulk of the newly impacted clients were exposed by an internal report that was stolen. This report contained a list of Okta clients that have contacted the Help Center, with assorted pieces of contact or account information attached. Okta says that in 99.6% of these cases, only a name and email address was exposed. In rare cases, other information may have been included: physical addresses, last password change or reset, phone and mobile numbers, time zone and SAML Federation ID.
Even if most clients were not seriously breached, the incident is part of a string that has been bad for Okta’s security reputation and that now dates back to at least early 2022. A support engineer previously had a laptop hacked by Lapsus$, the company’s source code has been exposed, and groups like 0ktapus have had sustained success in targeting clients for MFA resets by pretending to be customer support staff.