Okta, an identity and access management (IAM) specialist company, has issued a warning to its customers about a potential data breach. During an investigation into a compromise of its customer support management system, Okta discovered evidence suggesting that more data may have been compromised than initially thought. It is now believed that all customers who have used the system could be at risk.
The breach occurred when a threat actor used a stolen credential, obtained from one of Okta’s employees who had used a corporate device to sign into a compromised personal Google account. This allowed the threat actor to access Okta’s case management system and view customer-uploaded HTTP Archive (HAR) files, which contain valuable data such as cookies and session tokens.
Initially, only a small number of customers were believed to have been affected. However, new information has revealed that the breach is much wider in scope. The threat actor was able to run and download a report containing the names and email addresses of all users in Okta’s customer support system.
As a result, all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, except for those in its US government FedRamp High and DoD IL4 environments, have been impacted by the cyber attack. The Auth0/CIC support case management system was not affected.
The stolen report includes various fields of information, such as account creation date, last login, full name, username, email address, company name, user type, address, password change date, job title, job description, phone number, mobile number, time zone, and SAML Federation ID. However, the majority of the fields were blank, and sensitive information and credentials were not included in the report. Only names and email addresses were stolen from over 99% of customers.
While there is no direct evidence of the stolen information being actively exploited, Okta warns that the threat actor may use it for phishing or social engineering attacks. Therefore, Okta advises all customers to immediately implement multi-factor authentication (MFA) and consider using phishing-resistant authenticators. Okta has also introduced additional security measures, including admin session reauthentication and console timeouts.
Customers are urged to be vigilant against phishing attempts, especially those targeting IT helpdesks or related service providers. It is recommended that users review their helpdesk verification processes and implement tighter checks before performing high-risk actions, such as changing passwords for privileged accounts.