Okta security breach affected all customer support system users

This article was updated at 1:30 p.m. EST with comment from an Okta spokesperson.

All Okta customer support system users were impacted by a security breach announced last month, the company’s chief security officer said Wednesday — revealing that the breach was far larger than previously understood.

Last month, the company said hackers were able to access “files inside Okta’s customer support system associated with 134 Okta customers.”

Several of the Okta customers affected — including Cloudflare, 1Password and BeyondTrust — criticized the company for its handling of the incident. BeyondTrust notified Okta of a potential security incident in early October but it took the company two more weeks before they were able to fully get the hacker out of their system.

Wednesday’s update is likely to draw further criticism of the identity management company.

“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users,” Okta Chief Security Officer David Bradbury wrote.

“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted,” he said, with the exception of federal customers.

An Okta spokesperson confirmed that only customer system users were affected and declined to say how many were affected. Okta's website says more than 18,000 customers use the Okta Platform.

The information leaked included the names and emails of companies and their representatives, the date accounts were created, their last login, usernames, addresses, last password changes, phone numbers, time zone and more.

The information was accessed by the hacker from a customer support system report on September 28, 2023.

Okta said most of the boxes in the report were left blank and the information did not include user credentials or sensitive personal data.

“For 99.6% of users in the report, the only contact information recorded is full name and email address,” Bradbury explained. “While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks.”

The company noted that 94% of customers already require their administrators to have multi-factor authentication enabled.

‘Considerably larger’

In October, hackers used stolen Okta credentials to break into Okta's support case management system — giving them access to HTTP Archive (HAR) files, which track interactions between a website and a browser.

Okta support typically asks customers to upload HAR files when troubleshooting issues. The files replicate browser activity and can contain “sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”

The company said that as part of their investigation, they began “manually recreating the reports that the threat actor ran within the customer support system.”

“We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users,” he said on Wednesday.

Bradbury said the discrepancy between their initial determination that 134 customers were affected and their most recent findings stemmed from the company not realizing that when filters were removed from the report the “downloaded file was considerably larger.” A spokesperson did not respond to questions about why this possibility was not initially explored.

They also found additional reports and support cases that the hacker accessed which contained contact information for all Okta certified users and some Okta Customer Identity Cloud (CIC) contacts, among other information.

The information of Okta employees was also in the reports. Okta said it is now working with a digital forensics firm to validate their findings. A report on the issue will be shared with Okta customers, Bradbury added.

The new information is likely to draw further criticism toward the company after they faced significant backlash last year for their handling of another security incident. Bradbury was forced to apologizeto the customers affected after that incident.