The scope of the recent breach of the Okta customer support system is much wider than initially established, the company has admitted on Tuesday: the attackers downloaded a report that contained the names and email addresses of all Okta customer support system users.
Initial and latest findings about the Okta customer support system breach
The breach was made public in late October, after some of the affected customers – BeyondTrust, CloudFlare and 1Password – confirmed that attackers used information stolen from Okta to attempt incursions into their systems.
Subsequently, Okta CSO David Bradbury detailed how the attackers managed to view customer support cases and extract sensitive information, and said that the threat actor gained unauthorized access to files associated with 134 (i.e., less than 1% of) Okta customers.
According to Bradbury, Okta Security has recently recreated the reports that the threat actor ran within the customer support system, and found that file size of one in particular was much larger than the file generated during their initial investigation.
“The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report,” he said.
“We also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data.”
So, in short:
- All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted
- Customers in Okta’s FedRamp High and DoD IL4 environments (with a separate support system) are not affected. Also, the Auth0/CIC support case management system was not accessed by the attackers
What info was stolen and what does this mean for affected customers?
The aforementioned report, listing all users in Okta’s customer support system, contains a number of fields: full name, username, email, company name, address, role, phone and mobile number, SAML Federation ID, and so on.
“The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address,” Bradbury revealed.
Still, this information can be used by the attackers to spear-phish Okta customers or trick them via other types of social engineering attacks.
“Okta customers sign-in to Okta’s customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s),” he explained, and added that Okta customers should be on the lookout for phishing attempts that target their employees, IT Help Desks and related service providers.
The company has also introduced several new security features (admin session binding, admin session timeout) that organizations can enable and tweak to further secure admin sessions.