Okta Expands Impact Scope of the October Customer Support Portal Breach

Okta's ongoing investigation into the October 2023 breach of its customer support management system, the Okta Help Center, has revealed new insights into the extent of the data impact. In their latest security advisory, Okta Security disclosed that a threat actor accessed and downloaded a report on September 28th, 2023, at 15:06 UTC containing the names and email addresses of all Okta customer support system users.

According to Okta's Chief Security Officer, David Bradbury, Okta's investigation has "determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident." Bradbury asserts the "majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address."

While Okta clarifies that no credentials were exposed, the stolen information poses a potential threat for phishing attacks. The impacted users, who are often Okta administrators, are at an increased risk of phishing and social engineering attacks. Though Okta has no direct evidence of active exploitation, the potential risk prompted recommendations for all Okta customers, including the implementation of MFA, enabling admin session binding, setting admin session timeouts, and increasing phishing awareness. Okta is actively working with a third-party digital forensics firm to validate its findings and plans to share the report with customers upon completion.