No menu items!
EletiofeOkta Breach Impacted All Customer Support Users—Not 1 Percent

Okta Breach Impacted All Customer Support Users—Not 1 Percent

-

- Advertisment -

In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, all of its customers had data stolen in the breach two months ago.

The original 1 percent estimate related to activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for troubleshooting. But the company admitted on Wednesday that its initial investigation had missed other malicious activity in which the attacker simply ran an automated query of the database that contains names and email addresses of “all Okta customer support system users.” This also included some Okta employee information.

While the attackers queried for more data than just names and email addresses—including company names, contact phone numbers, and the data of last login and last password changes—Okta says that “the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6 percent of users in the report, the only contact information recorded is full name and email address.”

The only Okta users not impacted by the breach are high-sensitivity customers that must comply with the United States Federal Risk and Authorization Management Program or US Department of Defense Impact Level 4 restrictions. Okta provides a separate support platform for these customers.

Okta says it didn’t realize that all customers had been affected by the incident because, while its initial investigation had looked at the queries the attackers ran on the system, “the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation.” In the initial assessment, when Okta regenerated the report in question as part of retracing the attackers’ steps, it didn’t run an “unfiltered” report, which would have returned more results. This meant that in Okta’s initial analysis, there was a discrepancy between the size of the file the investigators downloaded and the size of the file the attackers had downloaded, as recorded in the company’s logs.

Okta did not immediately respond to WIRED’s requests for clarification on why it took a month for the company to run an unfiltered report and reconcile this inconsistency.

Jake Williams, a faculty member at the Institute for Applied Network Security who specializes in corporate security incident response, says that it’s not unusual for companies to take extra time to investigate anomalies flagged in initial security investigations. He says that this partly stems from the challenge of comprehensively assessing all evidence, but that it can also be a tactic to avoid disclosing anything that isn’t absolutely necessary under regulatory requirements.

In the case of Okta, though, the company is already under scrutiny because of the stakes inherent in its work as an identity management service, as well as the fact that the company has suffered past breaches and communicated poorly about their true impact.

“I think this one is so high-profile, and the discrepancy so easily identifiable, that they risked SEC issues by not disclosing it sooner,” Williams says. “With Okta, you wait for the other shoe to drop, but then it’s like they also have a third and fourth shoe somehow.”

As companies often do, Okta says it does not have “direct knowledge or evidence that this information is being actively exploited.” But the company emphasized on Wednesday that it is very possible the stolen data will be used to fuel phishing attacks, and recommended repeatedly that all its customers and their administrators turn on multi-factor authentication for their accounts if they haven’t already.

Latest news

7 Best Handheld Gaming Consoles (2024): Switch, Steam Deck, and More

It feels like a distant memory by now, but right before the Nintendo Switch launched in 2017, it seemed...

The Boeing Starliner Astronauts Will Come Home on SpaceX’s Dragon Next Year

NASA has announced that astronauts Barry Wilmore and Sunita Williams will return to Earth next February aboard SpaceX’s Dragon...

How to Switch From iPhone to Android (2024)

Ignore the arguments about which is better, because iPhones and Android phones have far more in common than some...

12 Best Tablets (2024): iPads, Androids, and More Tested and Compared

Tablets often don't come with kickstands or enough ports, so it's a good idea to snag a few accessories...
- Advertisement -

Will the ‘Car-Free’ Los Angeles Olympics Work?

THIS ARTICLE IS republished from The Conversation under a Creative Commons license.With the Olympic torch extinguished in Paris, all...

Lionel Messi will return before MLS playoffs, says Inter Miami coach Tata Martino

Inter Miami head coach Tata Martino said on Friday that Lionel Messi will return to the team's lineup before...

Must read

7 Best Handheld Gaming Consoles (2024): Switch, Steam Deck, and More

It feels like a distant memory by now, but...

The Boeing Starliner Astronauts Will Come Home on SpaceX’s Dragon Next Year

NASA has announced that astronauts Barry Wilmore and Sunita...
- Advertisement -

You might also likeRELATED
Recommended to you