The fallout from an Okta breach earlier this fall expanded dramatically this week after the single sign-on provider said an incident it previously determined to affect 1% of its customer support system clients, in fact, compromised them all.
Data on every Okta customer support system client was exposed by a cyberattack in late September, CSO David Bradbury said Nov. 29 in a blog post.
The company previously said the threat actor accessed files on 134 customers, less than 1% of its customer base, which ultimately compromised five customers, including BeyondTrust, Cloudflare and 1Password.
Now, two months after customers first reported suspicious activity on their Okta environments, the company said it’s determined the threat actor ran a report on Sept. 28 that contained the names and email addresses of all Okta customer support system users.
Okta did not respond to an inquiry about the total number of customers impacted. The company said it had more than 18,400 business customers in October.
“The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data,” Bradbury said in the blog post.
Targets acquired
Many Okta support system users are Okta administrators for their organizations, which amplifies the potential risk of follow-on attacks.
“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks,” Bradbury said.
After Okta reported the scope of the attack was limited in a Nov. 3 update, security staff determined the initial analysis missed one large file the threat actor ran within the customer support system.
“The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report,” Bradbury said.
Okta discovered additional reports and support cases the threat actor accessed, which further broadened the exposure to all Okta Workforce Identity Cloud and Customer Identity Solution customers. Government agency customers using Okta’s FedRamp High and Department of Defense IL4 environments were not impacted, the company said.
“Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data,” Bradbury said.
The widescale incident marks the second string of attacks to hit the identity and access management provider or its customers’ Okta environments since late July.
Okta said it’s working with an external digital forensics firm to validate its findings and intends to share the report with customers upon completion.