Okta Hacker Stole Data From ‘All’ Customer Support Users, Admits Company

The hacker may use the stolen information to target ‘Okta customers via phishing or social engineering attacks,’ the firm said.
Okta Hacker Stole Data From ‘All’ Customer Support Users, Admits Company
People's miniatures are seen in front of an Okta logo in this illustration taken on March 22, 2022. (Dado Ruvic/Illustration/Reuters)
Naveen Athrappully

Identity-management firm Okta admitted that all its customer support-system users were impacted by a hack in September after earlier claiming that “less than 1 percent” were affected by the breach.

The threat actor of the Sept. 28 hacking attack downloaded a report containing the following information of “all Okta customer support system users”: full name, username, email, address, phone, mobile, last login, account created date, company name, address, user type, date of last password change, role: name, role: description, and time zone, the company said in a Nov. 29 post. For 99.6 percent of users, the only contact information recorded in the report was full name and address.

San Francisco-based Okta’s admission that “all” customer support system users were impacted by the breach is a big change from its earlier Nov. 3 report which said that only “134 Okta customers, or less than 1 percent of Okta customers” were affected.

Okta offers identity-management solutions to businesses, allowing them to provide employees with a single sign-on (SSO) option. An SSO allows users to access the entirety of their company’s network applications by entering login credentials a single time. This offering basically makes Okta a high-profile target for hackers.

“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks,” the company said about the breach.

Users sign into Okta’s customer support systems with the same accounts they use in their own “Okta org” accounts. In addition, many users of the customer support system are also Okta administrators.

As such, the company insisted “these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).”

News of the hack sent shares of Okta down by as much as 7 percent in pre-market trading on Wednesday morning. Shares recovered later.

Okta was scheduled to release its third-quarter earnings details after the stock market closed. But the company moved up the earnings declaration to the morning, reporting better-than-expected earnings and revenue.

After closing at $72.61 on Nov. 28, its shares fell to around $68.24 on Nov. 29. As of 08:25 am ET on Nov. 30, it was trading at $70.75.

Back in October, when Okta first disclosed the hack, the news had pushed down the company’s stock price by over 11 percent, wiping out around $2 billion in market capitalization.

Hacking Okta

The threat actor gained access to Okta customer accounts between Sept. 28 and Oct. 17. A few days later, on Oct. 19, Okta advised customers about the security incident.

Hackers gained access to customer information via a service account that was stored in Okta networks. This service account had permissions to view and update customer support cases.

During company investigation, Okta found that the username and password of the service account ended up getting stored in an employee’s personal Google account.

The “most likely” explanation of how the hacker gained access to the service account is that the employee’s personal Google account or device was accessed, exposing them to the service account credentials, the company stated.

Additional reports and support cases containing information of Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts were also accessed by the hackers. Certain employee information was also included in these compromised reports.

However, “this contact information does not include user credentials or sensitive personal data,” Okta said. “We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion.”

Okta has previously faced several security breaches. In March last year, the company announced that the data of 366 customers were accessed by a malicious actor via an outside contractor of the firm.

In December 2022, Okta said that a hacker accessed its source code. No “unauthorized access to customer data” was identified during this breach.

This month, Okta reported that nearly 5,000 current and former employees had their sensitive health information exposed during a security breach. However, this data infringement did not happen at Okta but at a third-party vendor called Rightway Healthcare.

As to the Sept. 28 hacking attack, the company is now advising all customers to implement the following security measures in addition to multi-factor authentication (MFA) to “defend against potential attacks”:
  • Admin session binding: This feature would require administrators to reauthenticate in case their session gets used by an IP address from a different ASN (Autonomous System Number). “Okta strongly recommends customers enable this feature to further secure admin sessions.”
  • Admin session timeout: An Admin console timeout has been introduced, with the default set to 12-hour session duration and 15 minutes of idle time.
  • Phishing awareness: “Okta customers should be vigilant of phishing attempts that target their employees and especially wary of social engineering attempts that target their IT Help Desks and related service providers,” the company said.