Okta Broadens Scope of Data Breach

Okta revealed a security breach in which hackers gained the email addresses and names of all users of its customer support system, with only a few of those operating in settings fit for government use.

Specific attacks on third-party companies resulted from the breach, which was first linked to an employee’s usage of a personal Google account. About possible phishing or social engineering attempts, Okta’s chief security officer highlighted the need for multiple-factor authentication in safeguarding users.

After first reporting that just 134 clients had been affected, Okta confirmed that a threat actor had taken control of data belonging to all Workforce Identity Cloud and Customer Identity Solution customers, with only a few of those in particular government-grade settings.

The company claimed it had discovered the threat actor and published a report on September 28 that included the names and email addresses of every Okta customer support system user, two months after customers first noticed strange activities on their Okta environments.

When asked how many customers were affected overall, Okta did not reply. As of October, the company reported having over 18,400 business customers.

Bradbury stated on the blog that “User passwords and sensitive personal data are not included in the report, and the majority of the fields are blank.“

Okta Broadens Scope of Data Breach: All Customer Support Users Affected: Okta expands scope of October breach, saying hackers stole names and email addresses of all its customer support system users.

The post Okta Broadens Scope of Data Breach: All… https://t.co/VBqtoCDMHk pic.twitter.com/Y3aPcQpUIH

— Shah Sheikh (@shah_sheikh) November 29, 2023

Targets Acquired

The possibility of follow-on attacks is increased since many users of the Okta support system are also Okta administrators for their companies.

The threat actor could use this information to target Okta customers through phishing or social engineering assaults, according to Bradbury, “Even though we do not have direct knowledge or evidence that this information is being actively abused.”

Investigators discovered the first analysis overlooked one large file the threat actor ran within the customer support system after Okta revealed in an update on Nov. 3 that the attack’s scope was restricted.

“The threat actor is using an unedited view of the report, which is the cause of the error in our initial analysis,” Bradbury explained.

All users of Okta Workforce Identity Cloud and Customer Identity Solution were further exposed when Okta found further reports and support cases that the threat actor had accessed. 

Okta claimed that the Department of Defense IL4 environments and FedRamp High, which are used by government agency clients, were unaffected.

These reports also contained some personnel information from Okta. User passwords and sensitive personal information are not included in this contact information, according to Bradbury.

The large event represents the second wave of attacks that have targeted the identity and access management provider or the Okta environments of its clients since late July.

When the research is finished, Okta plans to share it with its clients. The company is now working with an outside digital forensics firm to confirm its results.

UPDATE: Okta says the hackers who broke into its support case management system stole names and email addresses of all its customer support system users, an admission that significantly expands the impact of the October incident.https://t.co/ogqSZFP6BQ https://t.co/Pa3QBMo7Bi

— Ryan Naraine (@ryanaraine) November 29, 2023

Discovering the Okta Data Breach

Okta said that hackers used unique defense avoidance and lateral movement techniques in that assault, but it did not provide any details about the threat actor or the end purpose. 

Although it’s unclear if it’s connected, a financially motivated cybercrime campaign called 0ktapus targeted a large number of Okta clients last year.