Oct 24, 2023 - Technology

Okta customers report impact of most recent breach

Illustration of a giant cursor slicing a briefcase in half.

Illustration: Aïda Amer/Axios

The scope and scale of Okta's most recent breach is still coming together as new customers come forward to share details about how they were targeted.

Why it matters: Okta — which provides single sign-on and multifactor authentication tools — has taken a serious financial hit since it disclosed Friday that hackers had stolen some of its support case management system files.

Driving the news: On Oct. 20, Okta said that a hacker had used a stolen password to access the company's support case management system.

  • Journalist Brian Krebs first reported the news. An Okta spokesperson told Axios the incident has resulted in "minimal" customer impact.
  • The company has lost more than $2 billion in market cap since the disclosure, per CNBC.

The big picture: This is just the latest breach in a running list of recent incidents targeting Okta customers.

  • Last month, the hackers who targeted MGM Resorts and Caesars Entertainment also attacked three other Okta customers, the company told Reuters.
  • Hackers also attacked a third-party vendor in January 2022 to gain access to Okta's network, ultimately accessing information about more than 360 customers.

Between the lines: Okta counts several major companies as customers — including FedEx, T-Mobile and OpenAI — making the company a prime target for intruders looking to break into these systems.

  • During an interview before the most recent incident's disclosure, Okta CEO Todd McKinnon told Axios that the company already has strict internal cybersecurity protocols.
  • "Our bar is as high as it can be," he said.

Details: So far, three companies have identified themselves as targets of the latest cybersecurity incident.

  • BeyondTrust, another identity management company, said in a post Friday that it first alerted Okta to suspicious activity targeting an Okta administrator on Oct. 2.
  • Cloudflare released a post Friday detailing how it thwarted an attacker who had tried hijacking its Okta instance.
  • 1Password said Monday that it first detected malicious activity tied to the Okta incident on Sept. 29, but the company said it was able to stop the attack.

The intrigue: Hackers collected customers' HTTP archive, or HAR files, which Okta's support team uses to replicate customers' problems when they call for support.

  • These files include authentication cookies and session tokens, which allow hackers to impersonate users on a legitimate network.

Yes, but: Okta is still investigating who was behind the attack and how they broke in.

Go deeper