Identity services provider Okta revealed that the scope of the previously disclosed data breach is much wider than initially thought.
In late October, Okta disclosed that unknown attackers gained access to its support case management system using stolen credentials. The intruders were able to view files uploaded by certain Okta customers as part of recent support cases.
The intrusion was made public after some of the affected customers, including BeyondTrust, CloudFlare and 1Password, confirmed that attackers used information stolen from Okta to attempt intrusion into their systems.
In an update published on November 29, Okta’s Chief Security Officer David Bradbury said that all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers have been found to be impacted by the incident. Customers in Okta’s FedRamp High and DoD IL4 environments (with a separate support system) are not affected. The Auth0/CIC support case management system was not accessed by the attackers.
“Okta Security reviewed our initial analysis of the actions that the threat actor performed, including manually recreating the reports that the threat actor ran within the customer support system. We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users,” Bradbury explained in a blog post.
“The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report. Our November review identified that if the filters were removed from the templated report, the downloaded file was considerably larger - and more closely matched the size of the file download logged in our security telemetry.”
According to Bradbury, the compromised file contained the names and email addresses of all Okta customer support system users and didn’t include user credentials or sensitive personal data.
“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks,” he said.