Okta, a leading identity management platform, recently disclosed a breach of its customer support system to its users. Initially, the company initially stated that approximately 1 percent of its 18,400 customers were impacted by the breach. However, Okta has now revealed that its investigation uncovered evidence indicating that all of its customers had their data compromised in the incident.
The original 1 percent estimate stemmed from the unauthorized use of stolen login credentials to take control of an Okta support account with some customer system access for troubleshooting. Okta admitted on Wednesday that its initial investigation had failed to detect further malicious activity, in which the attacker conducted an automated query of the database containing names and email addresses of “all Okta customer support system users,” including some Okta employee information.
Although the attackers obtained more than just names and email addresses, such as company names, contact phone numbers, last login data, and last password changes, Okta asserts that “the majority of the fields in the report are blank, and the report does not include user credentials or sensitive personal data. For 99.6 percent of users in the report, the only recorded contact information is full name and email address.”
The only unaffected Okta users are those that are subject to high-sensitivity restrictions, such as compliance with the United States Federal Risk and Authorization Management Program or US Department of Defense Impact Level 4. Okta has a separate support platform for these customers.
Okta explained that it initially failed to realize the extent of the breach because its investigation had focused on the attackers’ queries on the system. It was later discovered that the size of a particular report downloaded by the threat actor was larger than the file generated during the initial investigation. Thus, when Okta regenerated the report, it did not run an “unfiltered” report, resulting in a discrepancy between the downloaded file size and the size as recorded in the company’s logs.
Okta has yet to respond to inquiries regarding the delay in running an unfiltered report and reconciling the inconsistency.