Okta recently discovered that the extent of a data breach in late September was greater than initially estimated. While the company has not provided an exact number, they confirmed in their updated root cause analysis that personal information of all customer support system users was compromised in the breach. Previously, Okta’s CISO had stated that only 134 individuals, less than 1% of their customers, were affected. The breach impacted users of Okta’s workforce identity cloud and customer identity solution products, excluding customers in the FedRamp High and DoD IL4 environments. The Auth0/CIC case management system was not affected. The attacker created a report with mostly blank fields for 99.6% of the users, with only full name and email address recorded. User credentials and sensitive personal data were not included in the report. Okta recommends implementing multi-factor authentication and other security measures to mitigate further risks. The attack initially occurred on September 28, when the threat actor accessed files associated with 134 customers, including HAR files containing session tokens. They subsequently used these tokens to hijack the sessions of five customers and gain access to run the report. The attacker likely used an Okta employee’s credentials stored in their personal Google account to launch the attack.