Okta confirms code breach, but says no customer data was harmed

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Authentication giant Okta has now confirmed recent reports of a data breach affecting its internal code

In a press release, the company repeated the points given in a confidential email shared with its security contacts - namely, that someone managed to gain access to the company’s GitHub repository, a breach of which Okta was notified in early December this year. 

After investigating the matter, Okta concluded that someone copied the source code parked in the repository, and moved to secure its premises by placing temporary restrictions and suspending all GitHub integrations with third-party applications.

Okta Workforce Identity Cloud affected

Further investigation uncovered that Okta’s customers were not affected by the incident, including HIPAA, FedRAMP, and DoD customers, therefore, are not required to do anything. “Okta does not rely on the confidentiality of its source code for the security of its services,” the announcement reads. “The Okta service remains fully operational and secure.”

The breach pertains to Okta Workforce Identity Cloud (WIC) code repositories, the company confirmed, adding that it does not pertain to any Auth0 (Customer Identity Cloud) products. 

Law enforcement agencies have been notified, the announcement concludes.

Commenting on the news, Raj Samani, SVP Chief Scientist at Rapid7, said a company's source code is quite valuable, and as such, important to cybercriminals.

"From our own research, we know that intellectual property is a popular target for threat actors with 12% of data disclosures between April 2020 and February 2022 containing it," Samani said. "Stolen source code can be used to find hidden security vulnerabilities and launch further attacks on a business; therefore, it is crucial that such sensitive information is protected.”

This is not Okta’s first rodeo. In March, notorious extortion group Lapsus$ announced it had breached Okta’s administrative consoles and stolen customer data. 

And in September, Auth0 (owned by Okta) reported a similar incident, when a “third-party individual” managed to steal old source code. The method was never established, so it isn't known if any malware was involved.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An abstract image of padlocks overlaying a digital background.
BeyondTrust says hackers hit its remote support products
Avast cybersecurity
Zapier tells customers their data may have been accessed
hacker.jpeg
Thousands of GitHub repositories exposed via Microsoft Copilot
HPE
HPE investigating claims that hacker breached developer environments, source code
How to prevent cyberattacks
NTT admits hackers accessed details of almost 18,000 corporate customers in cyberattack
Representational image depecting cybersecurity protection
Top venture capital firm Insight Partners confirms it was hit by cyberattack
Latest in Security
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
Latest in News
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Forget AI – WhatsApp is planning a simple messages feature that could be its most useful upgrade in years
NordicTrack Ultra 1
The new NordicTrack Ultra 1 treadmill looks like it was designed by an architect and costs $15,000
An Nvidia GeForce RTX 5070
Nvidia RTX 5080 stock is so barren that retailers are holding competitions where you can "win" the right to buy one for MSRP
Assassin's Creed Shadows
Ubisoft shareholder accuses publisher of 'misleading investors', plans protest outside Paris HQ
Google Gemini AI logo on a smartphone with Google background
I made an AI version of Bilbo Baggins using Goggle Gemini for free, and shared a pipe with him outside Bag End – here’s what you can now do with Gems