Identity and access provider Okta now says the threat actor who accessed its customer help desk system last month got the names and email addresses of all contacts of organizations that use its support system.
Originally, the company said that, after an investigation, it determined only one per cent of the contacts from its 18,000 customers had information stolen, which included session tokens that could be used to infiltrate the IT networks of those firms. Of that, only a handful of organizations were actually hacked through those tokens.
However, on Wednesday Okta CSO David Bradbury acknowledged the hacker also ran and downloaded a report that contained the names and email addresses of all Okta customer support system users and, for a small number of people, their phone numbers.
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor),” he wrote. “The Auth0/CIC support case management system was also not impacted by this incident.”
The file had fields that included the company name, name of the Okta customer that contacted support, and their office and mobile phone numbers. “The majority of the fields in the report are blank,” Bradbury said, “and the report does not include user credentials or sensitive personal data. For 99.6 per cent of users in the report, the only contact information recorded is full name and email address.”
Recognizing that stolen email addresses are a phishing risk, Bradbury added this advice:
“Many users of the customer support system are Okta administrators,” he noted. “It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).”
“While 94 per cent of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing-resistant authenticators to further enhance their security.”
Okta also identified additional reports and support cases that the threat actor accessed, which contain contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts, and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data, Bradbury said.
On the one hand, that means perhaps hundreds or more of IT staff who have dealt with Okta support may get spear phishing messages that appear to come from the company. On the other hand, the number of companies vulnerable to stolen session tokens hasn’t changed.
The session tokens were included in some Okta HAR files that IT customers uploaded to Okta support to help narrow down the cause of a problem.
SCMagazine.com quoted Ken Westin, field CISO at Panther Labs, saying it’s “irresponsible” of Okta to continue to downplay the compromise by making statements like there’s no “direct evidence” the threat actors are using the compromised data to target these customers.
“If they didn’t know the scope of the compromise or who the unknown actors are, they are not in a position to understand the attackers’ intent or the full risk the breached data poses to their customers. This kind of rhetoric can further erode trust in an already difficult situation,” said Westin. “At this point, it’s best for Okta to stick to facts and be transparent about the breach, so customers can make appropriate decisions about how best to manage the risk. In a world of ‘zero-trust,’ if your identity provider is compromised, it can mean zero security.”