Okta Warns: Hackers Stole Data For All Customer Support Users

Okta Inc. has discovered that hackers who breached its network two months ago stole information on all users of its customer support system — a scope far greater than the 1 percent of customers the company had previously said were affected.

The company, which manages user authentication services for thousands of institutions, notified customers in a letter Tuesday that it has now determined the hackers downloaded a report containing data including names and email addresses for all clients in its customer support system. As a result, Okta warned customers may face an increased risk of attacks and urged them to use strong multi-factor authentication.

Tuesday’s findings underscore how the San Francisco-based firm continues to grapple with the fallout of the cyberattack first disclosed last month, when it estimated that about 184 clients — representing roughly 1 percent of customers — were affected. It wasn’t the first time Okta had been breached: A hacking group broke into its system last year and posted screenshots that appeared to show access to Okta accounts. Chief executive Todd McKinnon vowed after that attack to work to restore trust in Okta’s brand.

Okta confirmed that it sent a notice to customers on Tuesday, warning them that they may face an increased risk of phishing and social engineering attacks. The company also said it pushed new security features and recommendations to defend against targeted attacks.

“We are working with a digital forensics firm to support our investigation and we will be sharing the report with customers upon completion,” Okta said in a statement.

Okta said in the customer notice that a recent audit found more data was stolen than the company had initially thought, prompting the firm to revise its findings. It also discovered that some Okta employee information was included in stolen reports, according to the customer notice reviewed by Bloomberg.

The customer report contained fields for customer user names, company names, and mobile phone numbers, Okta said, while noting that the majority of the fields were blank and didn’t include credentials or sensitive personal data. For more than 99 percent of customers listed in the report, Okta said, contact information consisted of full names and email addresses.

Many of the affected users of the customer support system are Okta administrators, according to the company’s notice.

Source: Boston Globe | Graham Starr

###

This year the average cost of a data breach ballooned to a record high of $4.45 million globally. But there are security strategies organizations can adopt to decrease this cost according to the latest research published by the?Ponemon Group .

Don't become a victim~?IBM Security ?can help: provide a Zero Trust security strategy to support your business initiatives; protect your users, data, and applications; proactively manage your defenses against sophisticated threats; and, modernize your security infrastructure with an open hybrid cloud platform which will save you time and money.