All Okta customer support users had their email addresses copied

Share post:

Identity and access provider Okta now says the threat actor who accessed its customer help desk system last month got the names and email addresses of all contacts of organizations that use its support system.

Originally, the company said that, after an investigation, it determined only one per cent of the contacts from its 18,000 customers had information stolen, which included session tokens that could be used to infiltrate the IT networks of those firms. Of that, only a handful of organizations were actually hacked through those tokens.

However, on Wednesday Okta CSO David Bradbury acknowledged the hacker also ran and downloaded a report that contained the names and email addresses of all Okta customer support system users and, for a small number of people, their phone numbers.

“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor),” he wrote. “The Auth0/CIC support case management system was also not impacted by this incident.”

The file had fields that included the company name, name of the Okta customer that contacted support, and their office and mobile phone numbers. “The majority of the fields in the report are blank,” Bradbury said, “and the report does not include user credentials or sensitive personal data. For 99.6 per cent of users in the report, the only contact information recorded is full name and email address.”

Recognizing that stolen email addresses are a phishing risk, Bradbury added this advice:

“Many users of the customer support system are Okta administrators,” he noted. “It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).”

“While 94 per cent of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing-resistant authenticators to further enhance their security.”

Okta also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data, Bradbury said.

On the one hand, that means perhaps hundreds or more of IT staff who have dealt with Okta support may get spear phishing messages that appear to come from the company. On the other hand, the number of companies vulnerable to stolen session tokens hasn’t changed.

The session tokens were included in some Okta HAR files that IT customers uploaded to Okta support to help narrow down the cause of a problem. quoted Ken Westin, field CISO at Panther Labs, saying it’s “irresponsible” of Okta to continue to downplay the compromise by making statements like there’s no “direct evidence” the threat actors are using the compromised data to target these customers.

“If they didn’t know the scope of the compromise or who the unknown actors are, they are not in a position to understand the attackers’ intent or the full risk the breached data poses to their customers. This kind of rhetoric can further erode trust in an already difficult situation,” said Westin. “At this point, it’s best for Okta to stick to facts and be transparent about the breach, so customers can make appropriate decisions about how best to manage the risk. In a world of ‘zero-trust,’ if your identity provider is compromised, it can mean zero security.”

The post All Okta customer support users had their email addresses copied first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Russian threat actor expanding its target list, warns Five Eyes report

APT29 is increasingly going after cloud services in mo

Canada’s privacy watchdog investigating hack at Global Affairs

Inquiry will look into adequacy of data safeguards at the federal

Sidebar: The powerful Digital Safety Commission

A look at the powers of the proposed five-person body charged with overseeing the Online

Proposed Canadian law puts burden on large internet providers to police child porn, hate

Designated social media providers, adult sites streaming services would have to remove some content withi

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways