EletiofeOkta Breach Impacted All Customer Support Users—Not 1 Percent

Okta Breach Impacted All Customer Support Users—Not 1 Percent

-

- Advertisment -

In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, all of its customers had data stolen in the breach two months ago.

The original 1 percent estimate related to activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for troubleshooting. But the company admitted on Wednesday that its initial investigation had missed other malicious activity in which the attacker simply ran an automated query of the database that contains names and email addresses of “all Okta customer support system users.” This also included some Okta employee information.

While the attackers queried for more data than just names and email addresses—including company names, contact phone numbers, and the data of last login and last password changes—Okta says that “the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6 percent of users in the report, the only contact information recorded is full name and email address.”

The only Okta users not impacted by the breach are high-sensitivity customers that must comply with the United States Federal Risk and Authorization Management Program or US Department of Defense Impact Level 4 restrictions. Okta provides a separate support platform for these customers.

Okta says it didn’t realize that all customers had been affected by the incident because, while its initial investigation had looked at the queries the attackers ran on the system, “the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation.” In the initial assessment, when Okta regenerated the report in question as part of retracing the attackers’ steps, it didn’t run an “unfiltered” report, which would have returned more results. This meant that in Okta’s initial analysis, there was a discrepancy between the size of the file the investigators downloaded and the size of the file the attackers had downloaded, as recorded in the company’s logs.

Okta did not immediately respond to WIRED’s requests for clarification on why it took a month for the company to run an unfiltered report and reconcile this inconsistency.

Jake Williams, a faculty member at the Institute for Applied Network Security who specializes in corporate security incident response, says that it’s not unusual for companies to take extra time to investigate anomalies flagged in initial security investigations. He says that this partly stems from the challenge of comprehensively assessing all evidence, but that it can also be a tactic to avoid disclosing anything that isn’t absolutely necessary under regulatory requirements.

In the case of Okta, though, the company is already under scrutiny because of the stakes inherent in its work as an identity management service, as well as the fact that the company has suffered past breaches and communicated poorly about their true impact.

“I think this one is so high-profile, and the discrepancy so easily identifiable, that they risked SEC issues by not disclosing it sooner,” Williams says. “With Okta, you wait for the other shoe to drop, but then it’s like they also have a third and fourth shoe somehow.”

As companies often do, Okta says it does not have “direct knowledge or evidence that this information is being actively exploited.” But the company emphasized on Wednesday that it is very possible the stolen data will be used to fuel phishing attacks, and recommended repeatedly that all its customers and their administrators turn on multi-factor authentication for their accounts if they haven’t already.

Latest news

Lectric XPress2 Review (2026): A Heavy-Duty but Nimble Ebike

Review: Lectric XPress2This hefty but nimble and highly customizable ebike makes the journey as important as the destination. Get...

Drive Slower, Save Money on Gas. Thanks, Physics!

it’s the season for summer road trips, but sky-high gas prices make that a costly proposition. Unfortunately, most of...

Just About Anyone Can Sell You GLP-1s Online Now

This May, the digital search company JustAnswer made an odd pivot: It started selling weight loss drugs. Launching an...

Claude Helped a Hacker Find a Way to Issue Tickets to Almost Every US Music Festival

Fears about AI tools capable of autonomous hacking usually involve nightmare scenarios like the theft of nuclear launch codes...
- Advertisement -

A Guided Tour of Donald Trump’s Renovated Washington, DC

Washington, DC, looks a little different these days. Since his return to office, President Donald Trump has pushed to...

World Cup What to Watch: USMNT begins knockout run; can DR Congo shock England?

The 2026 World Cup knockout stage continues on Wednesday with three more Round of 32 matchups.Here's what you need...

Must read

Lectric XPress2 Review (2026): A Heavy-Duty but Nimble Ebike

Review: Lectric XPress2This hefty but nimble and highly customizable...

Drive Slower, Save Money on Gas. Thanks, Physics!

it’s the season for summer road trips, but sky-high...
- Advertisement -

You might also likeRELATED
Recommended to you