.jpg)
In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, all of its customers had data stolen in the breach two months ago.
The original 1 percent estimate related to activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for troubleshooting. But the company admitted on Wednesday that its initial investigation had missed other malicious activity in which the attacker simply ran an automated query of the database that contains names and email addresses of “all Okta customer support system users.” This also included some Okta employee information.
While the attackers queried for more data than just names and email addresses—including company names, contact phone numbers, and the data of last login and last password changes—Okta says that “the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6 percent of users in the report, the only contact information recorded is full name and email address.”
The only Okta users not impacted by the breach are high-sensitivity customers that must comply with the United States Federal Risk and Authorization Management Program or US Department of Defense Impact Level 4 restrictions. Okta provides a separate support platform for these customers.
Okta says it didn’t realize that all customers had been affected by the incident because, while its initial investigation had looked at the queries the attackers ran on the system, “the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation.” In the initial assessment, when Okta regenerated the report in question as part of retracing the attackers’ steps, it didn’t run an “unfiltered” report, which would have returned more results. This meant that in Okta’s initial analysis, there was a discrepancy between the size of the file the investigators downloaded and the size of the file the attackers had downloaded, as recorded in the company’s logs.
Okta did not immediately respond to WIRED’s requests for clarification on why it took a month for the company to run an unfiltered report and reconcile this inconsistency.
Jake Williams, a faculty member at the Institute for Applied Network Security who specializes in corporate security incident response, says that it’s not unusual for companies to take extra time to investigate anomalies flagged in initial security investigations. He says that this partly stems from the challenge of comprehensively assessing all evidence, but that it can also be a tactic to avoid disclosing anything that isn’t absolutely necessary under regulatory requirements.
In the case of Okta, though, the company is already under scrutiny because of the stakes inherent in its work as an identity management service, as well as the fact that the company has suffered past breaches and communicated poorly about their true impact.
“I think this one is so high-profile, and the discrepancy so easily identifiable, that they risked SEC issues by not disclosing it sooner,” Williams says. “With Okta, you wait for the other shoe to drop, but then it’s like they also have a third and fourth shoe somehow.”
As companies often do, Okta says it does not have “direct knowledge or evidence that this information is being actively exploited.” But the company emphasized on Wednesday that it is very possible the stolen data will be used to fuel phishing attacks, and recommended repeatedly that all its customers and their administrators turn on multi-factor authentication for their accounts if they haven’t already.
