Okta's data breach bigger than first thought

Okta has discovered that it underestimated the reach of a late September data breach.

The company has not put a number to the full scale of the breach, but in a just-published update to its root cause analysis, Okta said “all customer support system users” had personal information leaked in the breach.

In an earlier post, Okta’s CISO David Bradbury had said just 134 individuals, less than one percent of its customers, had been breached.

The breach covers users of Okta’s workforce identity cloud (WIC) and customer identity solution (CIS) products, “except customers in our FedRamp High and DoD IL4 environments”.

In addition, the Auth0/CIC case management system was not impacted.

Bradbury’s latest post said the attacker created a report containing 15 fields, which were blank for most records: “For 99.6 percent of users in the report, the only contact information recorded is full name and email address.”

The report did not include user credentials or sensitive personal data, Okta said.

Okta recommends that all users of the customer support system implement multi-factor authentication (94 percent already have, the post stated).

Other recommended mitigations include implementing session binding (which requires reauthentication if an admin’s session is reused across more than one Autonomous System number); admin session timeouts; and phishing awareness.

Okta said in the original attack, beginning on September 28, the threat actor accessed files associated with 134 customers, including HAR files that contained session tokens. 

They then used those tokens to hijack the sessions of five customers, giving the attacker the access they used to run the report.

The threat actor most likely launched their attack using an Okta employee’s credentials that were stored in their personal Google account.