Okta announced on Tuesday that hackers who breached its systems in October stole details about every user of the identity management service’s customer support platform, contradicting the company’s announcement in early November that only one percent of users were affected.
The stolen data includes the names and email addresses of every client in Okta’s customer support database, as well as details about some of the company’s own employees. Okta reportedly sent its clients a letter Tuesday, notifying them that they now face their own increased risks of hacking attacks thanks to the data breach. Okta customers (and everyone else on the planet) should make sure they have strong security measures in place including strong passwords and multi-factor authentication. Seriously, go check right now.
It’s painfully ironic news at a company where security and verifying people’s identities is the entire business model. Okta says it rolled out new security features and made recommendations for the next steps to its customers.
“While we do not have direct knowledge or evidence that this information is being actively exploited, we have notified all our customers that this file is an increased security risk of phishing and social engineering, pushed new security features to our platforms, and provided customers with specific recommendations to defend against potential targeted attacks against their Okta administrators,” said Okta spokesperson Jenny Grich.
Names and email addresses may not seem like much without the corresponding passwords, but leaking this data dramatically increases the risks of attacks. Hackers often target their marks by posing as coworkers and convincing victims to share confidential information or click on malicious links. Names and emails can also be paired with login credentials leaked in other breaches and used in password-stuffing attacks.
“We are working with a digital forensics firm to support our investigation and we will be sharing the report with customers upon completion,” Grich said. “In addition, we will also notify individuals that have had their information downloaded.”
On November 3rd, Okta said only 184 of the clients in its customer support system were affected by the October data breach. In a blog post on Wednesday, Okta’s Chief Security Officer David Bradbury said the company determined the real number is far higher, amounting to almost every customer that uses the company’s Okta Workforce Identity Cloud and Customer Identity Solution services.
This isn’t Okta’s first recent security disaster. In 2022, a hacking group called LAPSUS$ posted screenshots suggesting it gained administrator access to Okta’s systems. Police in London arrested a number of teenagers allegedly tied to the attack. At the time, Okta CEO Todd McKinnon vowed to restore trust in the company’s tainted brand.