Skip to main content
close search
site logo

All Okta support system customers caught in previously disclosed breach

The single sign-on provider significantly widened the scope of the attack two months after customers first reported suspicious activity on their Okta environments.

Published Nov. 29, 2023
Matt Kapko's headshot
Senior Reporter
Okta booth at RSA Conference on April 27, 2023 in San Francisco.
People assemble at Okta's booth at the RSA Conference on April 27, 2023 in San Francisco. Matt Kapko/Cybersecurity Dive

The fallout from an Okta breach earlier this fall expanded dramatically this week after the single sign-on provider said an incident it previously determined to affect 1% of its customer support system clients, in fact, compromised them all.

Data on every Okta customer support system client was exposed by a cyberattack in late September, CSO David Bradbury said Wednesday in a blog post.

The company previously said the threat actor accessed files on 134 customers, less than 1% of its customer base, which ultimately compromised five customers, including BeyondTrust, Cloudflare and 1Password.

Now, two months after customers first reported suspicious activity on their Okta environments, the company said it’s determined the threat actor ran a report on Sept. 28 that contained the names and email addresses of all Okta customer support system users.

Okta did not respond to an inquiry about the total number of customers impacted. The company said it had more than 18,400 business customers in October.

“The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data,” Bradbury said in the blog post.

Targets acquired

Many Okta support system users are Okta administrators for their organizations, which amplifies the potential risk of follow-on attacks.

“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks,” Bradbury said.

After Okta reported the scope of the attack was limited in a Nov. 3 update, security staff determined the initial analysis missed one large file the threat actor ran within the customer support system.

The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report,” Bradbury said.

Okta discovered additional reports and support cases the threat actor accessed, which further broadened the exposure to all Okta Workforce Identity Cloud and Customer Identity Solution customers. Government agency customers using Okta’s FedRamp High and Department of Defense IL4 environments were not impacted, the company said.

“Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data,” Bradbury said.

The widescale incident marks the second string of attacks to hit the identity and access management provider or its customers’ Okta environments since late July.

Okta said it’s working with an external digital forensics firm to validate its findings and intends to share the report with customers upon completion.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell