Okta has revealed that an October security breach compromised all users of its customer support system rather than a small subset as previously thought.
CSO David Bradbury said last month that only 134 customers were impacted after a threat actor gained access to the support system between September 28 and October 17.
They had managed to access HAR files containing cookies and session tokens from a support service account compromised via an employee’s personal Google account. The employee in question had apparently logged into that personal account on an “Okta-managed laptop.”
However, an update yesterday, Bradbury revealed that the breach was much worse than previously thought.
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor),” he explained. “The Auth0/CIC support case management system was also not impacted by this incident.”
This could number 17,000 customers, according to Okta’s website.
Read more on Okta breaches: Okta Breached Via Stolen Credential
However, most (99.6%) of these customers have only had their full names and email addresses exposed.
“The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data,” Bradbury said.
Given that these customers are likely to be targeted by follow-on phishing attacks, and that many of them are Okta administrators, it’s critical that they have multi-factor authentication (MFA) switched on to protect the customer support system and their Okta admin console, he added. Some 6% apparently don’t have MFA currently enabled.
The threat actor also obtained additional information, Bradbury revealed.
“We also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information,” he said.
“Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data.”