Okta Discloses Support System Breach Impacting Customer Data
The company’s CSO says an attacker ‘was able to view files uploaded by certain Okta customers as part of recent support cases.’
Okta disclosed a data breach Friday for its support case management system, through which an attacker was able to view data from “certain” customers.
In a post, Okta Chief Security Officer David Bradbury said that a stolen credential was used by an attacker to gain “unauthorized access” to the support system.
“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Bradbury wrote.
The number of impacted customers or types of data that may have been viewed was not disclosed. The company said that all affected customers have at this point been notified.
The support system is separate from Okta’s identity service, which “is fully operational and has not been impacted,” Bradbury said.
Security vendor BeyondTrust said Friday it discovered the breach and is among the impacted customers.
The company said in a post that it informed Okta about the incident on Oct. 2, but “having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta.” Then on Oct. 19, “Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers,” BeyondTrust said.
Okta hasn’t provided its own timeline for the breach. In response to an inquiry by CRN, Okta said in a statement that it “recently” notified customers about the incident, and reiterated several details that were shared earlier in Bradbury’s post, including that the identity service wasn’t impacted.
“We have notified impacted customers and taken measures to protect all our customers,” the company said in the statement.
Journalist Brian Krebs reported Friday that he was told by Okta that a “very small subset” of its 18,000 customers were impacted.
Okta’s stock price fell 11.6 percent, to $75.57 a share, on Friday following the disclosure of the breach.
In January 2022, a third-party Okta support provider was breached by a hacker group, Lapsus$, which provided the attackers with access to Okta customer data. While initially thought that the threat actor may have accessed data from hundreds of customers, the company later said that only two Okta customers were impacted.
Ultimately more damaging was the reputational impact suffered by Okta, as a result of not disclosing the attack until after Lapsus$ had posted on Telegram about the incident in March 2022. Okta Co-Founder and CEO Todd McKinnon later said in an interview that it was a misstep to not disclose that there was an incident sooner.
“If that happens in January, customers can’t be finding out about it in March,” McKinnon said in May 2022.