Okta admits hackers accessed data on all customers during recent breach

U.S. access and identity management giant Okta says hackers stole data about all of its customers during a recent breach of its support systems, despite previously stating that only a fraction of customers were affected.

Okta confirmed in October that a hacker used a stolen credential to access its support case management system and steal customer-uploaded session tokens that could be used to break into the networks of Okta customers. Okta told TechCrunch at the time that around 1% of customers, or 134 organizations, were affected by the breach.

In a blog post published on Wednesday, Okta chief security officer David Bradbury said the company has since determined that all of its customers are affected by the breach. Okta spokesperson Cat Schermann would not provide an exact figure when asked by TechCrunch, but Okta has around 18,000 customers, according to the company’s website, including 1Password, Cloudflare, OpenAI and T-Mobile.

Bradbury said on September 28, a hacker ran and downloaded a report that contained data belonging to “all Okta customer support system users.” For 99.6% of customers, hackers accessed only full names and email addresses, according to Okta, though in some cases they may also have accessed phone numbers, usernames and details of some employee roles.

“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks,” Bradbury said. The notorious Scattered Spider hacking group, also known as Oktapus, has previously leveraged various social engineering tactics to target the accounts of Okta customers, including Caesars Entertainment and MGM Resorts.

Okta is advising all customers to use multi-factor authentication and to use phishing-resistant authenticators, such as physical security keys.

Okta says its follow-up analysis has also determined that the threat actor accessed “additional reports and support cases” containing the contact information of all Okta-certified users and some Okta Customer Identity Cloud (CIC) customer contacts. Some Okta employee information was also included in these reports, but the company hasn’t confirmed how many of its 6,000 employees are affected.

Okta says that none of its government customers are affected by the breach, and said its Auth0 support case management system was not impacted.

The identity of the threat actors behind the most recent breach of Okta's systems is not yet known.

This is the latest of many security incidents impacting Okta. Last year, the company admitted that hackers stole some of its source code. A separate incident earlier in the year saw hackers post screenshots showing access to the company’s internal network after hacking into a company Okta used for customer service.