Okta says the hackers who broke into its support case management system stole names and email addresses of all its customer support system users, an admission that significantly expands the impact of the October incident.
Okta originally claimed that only 134 customers (less than 1% of its customer base) was affected but in a fresh update posted Wednesday, Okta security chief David Bradbury said the threat actor hijacked data from all Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, except for those in specific government-grade environments.
From the latest post-mortem:
“We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor).
The Auth0/CIC support case management system was also not impacted by this incident.”
Bradbury said the threat actor ran a report on September 28, 2023 at 15:06 UTC that contained multiple fields for each user in Okta’s customer support system but the company’s investigation found that the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data.
“For 99.6% of users in the report, the only contact information recorded is full name and email address,” Bradbury said.
The Okta chief security officer said the company does not have evidence that this information is being actively exploited but warned that the unidentified threat actor may use this information to target Okta customers via phishing or social engineering attacks.
“Okta customers sign-in to Okta’s customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s),” Bradbury added.
Earlier this month, Okta blamed the hack on an employee who logged into a personal Google account on a company-managed laptop, exposing credentials that led to targeted attacks against multiple third-party companies.
Okta has found itself in the crosshairs of multiple hacking groups that target its infrastructure to break into third-party organizations. In September, Okta said a sophisticated hacking group targeted IT service desk personnel in an effort to convince them to reset multi-factor authentication (MFA) for high-privilege users within the targeted organization.
In that attack, Okta said hackers used new lateral movement and defense evasion methods, but it has not shared any information on the threat actor itself or its ultimate goal. It’s unclear if it’s related, but last year many Okta customers were targeted as part of a financially motivated cybercrime campaign named 0ktapus.