Connect with us

Hi, what are you looking for?


Identity & Access

Okta Broadens Scope of Data Breach: All Customer Support Users Affected

Okta expands scope of October breach, saying hackers stole names and email addresses of all its customer support system users.

Okta says the hackers who broke into its support case management system stole names and email addresses of all its customer support system users, an admission that significantly expands the impact of the October incident.

Okta originally claimed that only 134 customers (less than 1% of its customer base) was affected but in a fresh update posted Wednesday, Okta security chief David Bradbury said the threat actor hijacked data from all Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, except for those in specific government-grade environments.

From the latest post-mortem:

“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). 

The Auth0/CIC support case management system was also not impacted by this incident.”

Bradbury said the threat actor ran a report on September 28, 2023 at 15:06 UTC that contained multiple fields for each user in Okta’s customer support system but the company’s investigation found that the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. 

“For 99.6% of users in the report, the only contact information recorded is full name and email address,” Bradbury said.

The Okta chief security officer said the company does not have evidence that this information is being actively exploited but warned that the unidentified threat actor may use this information to target Okta customers via phishing or social engineering attacks. 

Advertisement. Scroll to continue reading.

“Okta customers sign-in to Okta’s customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s),” Bradbury added.

Earlier this month, Okta blamed the hack on an employee who logged into a personal Google account on a company-managed laptop, exposing credentials that led to targeted attacks against multiple third-party companies. 

Okta has found itself in the crosshairs of multiple hacking groups that target its infrastructure to break into third-party organizations. In September, Okta said a sophisticated hacking group targeted IT service desk personnel in an effort to convince them to reset multi-factor authentication (MFA) for high-privilege users within the targeted organization. 

In that attack, Okta said hackers used new lateral movement and defense evasion methods, but it has not shared any information on the threat actor itself or its ultimate goal. It’s unclear if it’s related, but last year many Okta customers were targeted as part of a financially motivated cybercrime campaign named 0ktapus

Related: Okta Support System Hacked, Sensitive Customer Data Stolen

Related: Okta Hack Blamed on Employee Using Personal Google Account

Related: Okta Says US Customers Targeted in Sophisticated Attacks

Related: The Chaos (and Cost) of the Lapsus$ Hacking Carnage

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...