A Comprehensive Look at the Okta Breach: The Complete Impact

In an alarming turn of events, Okta - a leading identity management platform - has drastically revised its assessment of a recent breach. Initially, the company estimated that merely 1% of its 18,400 customers were affected by the security incident. However, a startling revelation now reveals that the breach's reach was far more extensive, impacting every single customer - a full 100%.

The breach, initially reported in late October, involved a compromised Okta support account, accessed via stolen login credentials. This account had some level of system access, which was exploited for troubleshooting. At that time, the company believed that only 1% of its customers were affected. However, after further investigation, Okta has now admitted that the breach was much more extensive.

The revised assessment is the result of discovering additional malicious activities. Attackers had employed an automated query targeting the database housing information of all Okta customer support system users, including some Okta employees. This query was not limited to names and email addresses - it also sought out company names, contact numbers, and data related to the last login and password changes.

Despite this, Okta has reassured users that the majority of the fields in the report are blank. The report did not include sensitive personal data or user credentials. For about 99.6% of users, the stolen information was limited to full name and email address.

A minor reprieve comes for high-sensitivity customers who are required to comply with the United States Federal Risk and Authorization Management Program or the US Department of Defense Impact Level 4 restrictions. These customers use a separate support platform and were, therefore, unaffected by the breach.

Okta's delayed realization of the breach's full impact was due to an oversight during the initial investigation. While investigators had checked the queries run by the attackers, they missed one vital detail. The size of one specific report downloaded by the attackers was larger than what was generated during Okta's initial investigation.

The company failed to run an unfiltered report in its initial probe, which led to a mismatch in the size of the file downloaded by the attackers and the investigators. It took the company a month to reconcile this discrepancy, raising questions about the delay in identifying and rectifying this lapse.

Jake Williams, an expert in corporate security incident response, explains that it's not uncommon for companies to take additional time to investigate security anomalies. This could be due to the challenge of fully assessing all evidence or a strategic move to avoid disclosing unnecessary details under regulatory requirements.

Nonetheless, Okta's situation is particularly notable given its role as an identity management service and its history of breaches and communication failures regarding their impact. Williams suggests that Okta's delay in disclosing the discrepancy could potentially lead to SEC-related issues.

While Okta claims no direct evidence of the stolen information being actively exploited, it acknowledges the possibility of the data being used for phishing attacks. As a precaution, the company has repeatedly urged all its customers and administrators to activate multi-factor authentication on their accounts.

See article by Lily Hay Newman here

Know more. Investigate better.