Okta officials said Tuesday that the data breach the company disclosed in October actually affected all of the customers in its support system rather than the one percent of support customers that it originally disclosed.
In October, Okta said that an attacker had used stolen credentials in order to access its support case management system and that the incident affected about one percent of the companies in that support system. On Tuesday, Okta CSO David Bradbury said that the intrusion actually affected every customer in the support system. After gaining access to the support system, the attacker ran a report on Sept. 28 that included customer information. For almost all of the affected users, that information was just a name and email address. But for a small number of customers, the information also included more sensitive data, such as usernames, SAML federation ID, and other information.
Bradbury said the attackers also accessed some other support cases and reports that contained information on all Okta certified users and some Okta Customer Identity Cloud customer contacts.
“Following the publication of the RCA on November 3, Okta Security reviewed our initial analysis of the actions that the threat actor performed, including manually recreating the reports that the threat actor ran within the customer support system. We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users,” Bradbury said.
Okta initially disclosed the intrusion in late October, and shortly afterward several large companies said that they had been affected by the incident, including 1Password, BeyondTrust, and Cloudflare. The data taken by the attacker in this incident could be used in phishing campaigns targeting Okta customers, Bradbury warned.
“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks. Okta customers sign-in to Okta’s customer support system with the same accounts they use in their own Okta org,” he said.
“Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).”
Bradbury recommended that, in addition to enabling MFA, customers turn on a new early access feature called admin session binding that requires an admin to reauthenticate if their session reused from an IP address that belongs to a different ASN.