The Okta data breach just keeps getting worse

Zero-day attack
(Image credit: Shutterstock) (Image credit:

The recent data breach suffered by Okta turned out to be a lot bigger than initially thought.

In early November, the identity and access management company reported that a threat actor managed to access files inside its customer support system. There, they stole HAR files which contained cookies and session tokens, which allowed them to bypass login credentials and multi-factor authentication (MFA) and access the victims’ endpoints.

At first, Okta believed 134 of its customers (fewer than 1%) were affected. However, it now seems that the attackers accessed additional reports and support cases with contract information for all Okta certified users. 

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Plenty of personal data

"All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident,” Okta said in its latest report.

Stolen data includes full names, usernames, emails, company names, user types, addresses, last password change/reset, roles, phone numbers, mobile numbers, time zones, and SAML Federation IDs. The good news is that for 99.6% of the victims, only full names and email addresses were taken. Login credentials remained safe, it was added.

Many of the victims were administrators, too, with 6% not even having multi-factor authentication enabled. What’s more, the attackers stole data from "Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts.” Some data on Okta employees was taken as well.

"We also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information,” the report states.

“Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data."

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.