The hack of Okta’s customer support system impacted far more customers than the 1% the company originally believed.
The identity management giant said in a letter to clients Tuesday that hackers who compromised the system stole data from all of the cybersecurity firm’s customer support users. More specifically, the cybercriminals downloaded a report that included information on everyone that uses its customer support system.
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident,” the company explained in a blog post published Wednesday.
The customer report included fields for usernames, full names, company names, mobile phone numbers, and email addresses. According to Okta, for the majority of its clients, these fields were blank, and the hackers mostly got their hands on full names and email addresses.
This still means that “there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks,” Okta chief security officer David Bradbury said. “While 94% of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security.”
Okta first disclosed its initial findings about the October data breach earlier this month and later said that the hack only affected around 130 customers.
“During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury said in mid-November. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”