The Impact of Okta’s Data Breach on Customer Support System Users
Last month, we uncovered a breach in Okta’s Help Center environment that affected all customer support system users. At the beginning of November, we discovered that an unauthorized individual had accessed files within our customer support system, and our initial investigation suggested a limited data breach.
However, our further investigation revealed that the hackers also obtained a report containing the names and email addresses of all Okta customer support system users. This is a significant concern, as many of these users are administrators, and 6% of them have not activated multi-factor authentication (MFA) to protect against unauthorized login attempts.
Note: All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are affected by this breach, except for those in our FedRamp High and DoD IL4 environments. The Auth0/CIC support case management system was not impacted.
What Information Was Exposed?
The stolen report included fields for full name, username, email, company name, user type, address, last password change/reset, role, phone number, mobile number, time zone, and SAML Federation ID. However, Okta has clarified that for 99.6% of the users listed in the report, only their full names and email addresses were available, and no credentials were exposed.
Additionally, the intruders accessed data from Okta-certified users, some Okta Customer Identity Cloud (CIC) customer contacts, and Okta employee details. While this contact information does not include user credentials or sensitive personal data, it still has the potential to be used for phishing or social engineering attacks.
Protecting Against Potential Attacks
With names and emails in hand, threat actors can launch phishing or social engineering attacks to gather more information or prepare a more sophisticated attack. To help protect against such threats, Okta recommends the following measures:
- Implement MFA for admin access: Use phishing-resistant methods like Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
- Enable admin session binding: Require re-authentication for admin sessions from new IP addresses.
- Set admin session timeouts: Follow NIST guidelines by setting a maximum of 12 hours with a 15-minute idle time.
- Increase phishing awareness: Stay vigilant against phishing attempts and reinforce IT Help Desk verification processes, especially for high-risk actions.
Okta’s History of Targeted Attacks
Over the past two years, Okta has been a target of credential theft and social engineering attacks. In December 2020, hackers accessed source code from Okta’s private GitHub repositories. In January 2022, an Okta support engineer’s laptop was compromised, which impacted approximately 375 customers—2.5% of the company’s client base. The Lapsus$ extortion group claimed this attack and leaked screenshots showing they had “superuser/admin” access to Okta.com and customer data.
Take Action Today
In light of these recent cybersecurity incidents, it’s crucial for businesses to take the necessary steps to protect their sensitive information. Don’t wait for the next breach—contact us to learn how ZZ Servers can assist you in safeguarding your digital assets and providing a solid foundation for your cybersecurity needs.