Okta confirms recent hack affected all customers within the affected system

Identity and access management company, Okta, has revealed last month’s security incident within its support case management system has affected all users, contrary to earlier reports of it compromising the data of only one percent of users.

In a November 21 update on the incident, David Bradbury, chief security officer at Okta confirmed that a subsequent review of earlier analysis yielded new findings.

“Okta Security has continued to review our initial analysis shared on November 3, re-examining the actions that the threat actor performed,” said Bradbury in a statement. “Today we are sharing new information that potentially impacts the security of our customers.”

The review included manually recreating reports the threat actor ran in the system and the files the threat actor downloaded.

All Okta customer support users are impacted

In an earlier report on the incident, Okta had said that less than one percent of all the users on Okta’s customer support system were affected by the hack.

“Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers,” Okta said in the earlier report. “Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks.”

However, the latest update by Bradbury clarifies the threat actor ran and downloaded reports containing full names and email addresses of all Okta customers which include all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers.

Okta’s Auth0/CIC support case management system, along with its FedRamp High and DoD IL4 environments (environments using a different support system) are not impacted, Bradbury added.

The reason for the discrepancy in earlier analysis was the assumption that the threat actor had run a filtered view of the report they had access to. An “unfiltered run” by the threat actor was later confirmed as it resulted in a considerably larger file, the one matching closely with the download logged in Okta’s security telemetry.

While Okta has no direct knowledge or evidence of its active exploitation yet, it warns against the use of this information to target Okta customers via phishing or social engineering attacks.

Okta recommends MFA, better session controls

To ward off exploits, Okta has recommended that all its customers employ multifactor authentication (MFA) and consider the use of phishing-resistant authenticators to further enhance their security. A few such authenticators include Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.

“Okta’s hack is a serious issue, and it highlights the importance of two-factor authentication,” said Pareekh Jain, chief analyst at Pareekh Consulting. “Even working with big software vendors, users can not be fully sure about security. So, both enterprises and consumers should enable TFA to protect themselves against phishing.”

Okta has also recommended that customers enable an early access feature in Okta that requires admins to reauthenticate if their session is reused from an IP address with a different ASN (Autonomous System Number). It also encourages customers to use and customize its Admin Console Timeouts feature to set default session durations.