Okta, a U.S. access and identity management company, recently disclosed that hackers compromised data on all of its customers during a breach of its support systems, contrary to its previous statement suggesting only a fraction of customers were impacted.
In October, Okta revealed that a hacker used a stolen credential to access its support case management system and pilfer customer-uploaded session tokens that could be exploited to infiltrate the networks of Okta customers. At that time, Okta informed TechCrunch that approximately 1% of customers, equivalent to 134 organizations, were affected.
In a blog post released on Wednesday, Okta’s chief security officer, David Bradbury, admitted that the breach has affected all of its customers. Although Okta spokesperson Cat Schermann declined to provide an exact figure when questioned by TechCrunch, the company’s website indicates around 18,000 customers, including 1Password, Cloudflare, OpenAI, and T-Mobile.
According to Bradbury, on September 28, a hacker executed and obtained a report containing data pertaining to “all Okta customer support system users.” For 99.6% of customers, the hackers only accessed full names and email addresses, as per Okta’s disclosure. However, in some instances, they may have also obtained phone numbers, usernames, and certain employee role details.
Bradbury mentioned, “While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks.” The notorious Scattered Spider hacking group, also known as Oktapus, has previously utilized various social engineering tactics to target the accounts of Okta customers, including Caesars Entertainment and MGM Resorts.
Okta is urging all customers to implement multi-factor authentication and use phishing-resistant authenticators, such as physical security keys.
Okta’s subsequent analysis unveiled that the threat actor also accessed “additional reports and support cases,” containing the contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts. Furthermore, some Okta employee information was included in these reports, but the exact number of affected employees out of its 6,000 staff has not been confirmed.
Okta has clarified that none of its government customers are impacted by the breach, and its Auth0 support case management system remained unaffected.
At present, the identity of the threat actors behind the recent breach of Okta’s systems remains unknown.
This is just one of several security incidents affecting Okta. Last year, the company acknowledged that hackers had stolen some of its source code. Another incident earlier in the year involved hackers sharing screenshots indicating access to the company’s internal network after compromising a vendor Okta used for customer service.