Okta says data leaked on hacking forum not from its systems

Okta denies that its company data was leaked after a threat actor shared files allegedly stolen during an October 2023 cyberattack on a hacker forum.

Okta is a San Fransisco-based cloud identity and access management solutions provider whose Single Sign-On (SSO), multi-factor authentication (MFA), and API access management services are used by thousands of organizations worldwide.

In October 2023, Okta warned that its support system was breached by hackers using stolen credentials, allowing attackers to steal cookies and authentication for some customers. After the internal investigation was completed in late November, it was revealed that the incident impacted all users of the customer support system.

That incident elevated the risk of breaches for multiple Okta clients, with a notable case being a subsequent compromise of one of Cloudflare's self-hosted Atlassian servers where the hackers employed access tokens stolen during the Okta breach.

On Saturday, a cybercriminal using the alias 'Ddarknotevil' claimed to be releasing an Okta Database containing information of 3,800 customers that was stolen during last year's breach.

"Today, I have uploaded the Okta database for you all, This Breach is being shared in behife @IntelBroker - [Cyber <redacted>] thanks for reading and enjoy!," a threat actor posted to a hacking forum."

"In September 2023, Okta, an IT service management company, suffered a data breach that led to the exposure of 3.8 thousand customer support users."

The leaked data includes user IDs, full names, company names, office addresses, phone numbers, email addresses, positions/roles, and other information.

BleepingComputer contacted Okta over the weekend to ask if the claims are linked to the October incident or any other undisclosed breach.

Today, the company said that the data does not belong to them and appears to be from public information on the internet.

"This is not Okta's data, and it is not associated with the October 2023 security incident," an Okta spokesperson told BleepingComputer.

"We cannot determine the source of this data or its accuracy, but we noted that some fields have dates from over ten years ago. We suspect that this information may be aggregated from public information sources on the Internet."

The Okta spokesperson also confirmed to BleepingComputer that the firm's IT team thoroughly investigated all systems over the weekend and found no evidence of a breach.

Cyber-intelligence firm KELA also reviewed the shared data and independently corroborated that the data does not belong to Okta but is believed to be from a different company breached in July.

KELA's analysis of the data and number of records confirmed that it's the same data as a July 2023 dump made by the threat actor 'IntelBroker,' who claimed to have stolen it from the National Defense Information Sharing and Analysis Center.