It turns out security industry experts were right: the Okta breach on its customer support system first disclosed in October was much more severe than originally portrayed by the major identity provider, sparking some criticism from the industry.
In an advisory posted Nov. 29 by David Bradbury, Okta’s chief security officer, the company admitted that rather than the 1% of users it said were impacted when the incident was first reported a month ago, “Okta determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users.”
While the identity and access management company did not report how many customers were affected, the Okta's website says more than 18,000 customers use its platform, so it’s still unclear how many support users were actually impacted.
Bradbury said the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, Bradbury said the only contact information recorded are full names and email addresses.
“While we do not have direct knowledge or evidence that this information is being actively exploited, there’s a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks,” wrote Bradbury.
Okta's breach disclosure sparks criticism
Some security analysts agreed that it may have been premature for Okta to say only 1% were impacted, but Ken Westin, Field CISO at Panther Labs, said it’s “irresponsible” of Okta to continue to downplay the compromise by making statement like there’s no “direct evidence" the threat actors are using the compromised data to target these customers.
“If they didn’t know the scope of the compromise or who the unknown actors are, they are not in a position to understand the attackers’ intent or the full risk the breached data poses to their customers, this kind of rhetoric can further erode trust in an already difficult situation,” said Westin. “At this point it’s best for Okta to stick to facts and be transparent about the breach so customers can make appropriate decisions about how best to manage the risk. In a world of ‘zero-trust,’ if your identity provider is compromised it can mean zero security.”
Callie Guenther, senior manager of cyber threat research at Critical Start, pointed out that the breach is not Okta's first security challenge. Guenther said previously, Okta faced incidents including hackers accessing source code and the laptop of an Okta support engineer, affecting a significant number of customers, however Okta is not unique.
“Even the most robust security systems can be vulnerable, and constant vigilance and proactive security measures are essential,” said Guenther. “The theft of names and email addresses of Okta customer support system users poses a heightened risk for phishing and social engineering attacks. Okta acknowledges the risk of the stolen information actively being used in phishing or social engineering attacks, and since the data includes many Okta administrators, the potential impact is significant.”
John Gallagher, vice president of Viakoo Labs, downplayed the significance of today’s news, saying that the threat actor could get a similar customer list through ZoomInfo and other commercial services. Likewise, the 6% of Okta’s customers that reportedly have not set up MFA is not alarming, though Gallagher said it does offer some insight as to how lax security is at some Okta customer sites.
“The steps needed to protect Okta users are best practices, such as setting session timeouts or requiring reauthentication for sessions from a new IP address,” said Gallagher. “Okta could use the data it’s gathered by helping specific and targeted users to improve their security posture for all their systems, not just Okta.”
Okta advises users deploy MFA
Okta’s Bradbury added that because many of the users of the customer support system are Okta administrators, it’s critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin consoles. Bradbury added that while 94% of Okta customers do already require MFA for their administrators, the company recommends that all Okta customers employ MFA and consider the use of phishing-resistant authenticators to further enhance security.
In terms of what caused the discrepancy from the original reports in October, Okta said after additional analysis, it stems from the threat actor running an unfiltered view of the report. Bradbury said Okta’s November review identified that if the filters were removed from the templated report, the downloaded file was considerably larger.