Featured in this episode of Tech News of the Week
And I quote: “Okta upped its original estimate of customer support users affected by a recent breach from 1 percent to 100 percent, citing a ‘discrepancy.’”
That is a hell of a discrepancy. Okta has been dealing with the fallout of a breach since it was first announced back in October. Back then, it wasn’t a big deal, relatively speaking- “about 1 percent“ of its customers were affected, notified, etc, etc.
Then in late November, they silently updated the post about the incident to use the somewhat troubling word “all.” all customers. 100%. Yikes.
Now, there are some silver linings here. First off there’s Okta’s root cause analysis post (which has not yet been updated to say “all,” we should note). The RCA states that the attack window was between Sept 28th and Oct 17th, when attackers utilized a built-in system account to scrape data from the customer support system.
One thing that was captured for certain customers were HAR files. These contained session tokens that could then in turn be used to hijack customer sessions, thus expanding the attack from Okta systems to customer systems. The RCA says this happened to 5 customers, but again, it also hasn’t been updated.
For all customers, data scraping pulled the usual. Names, account info, email addresses, roles, phone numbers, etc. This is bad but admittedly it’s not as bad as the whole ‘session hijacking’ thing. If you are one of the smaller group with compromised HAR files, you likely have already been privately notified and are suitably pissed off.
For the all customers group, the usual lecture applies: change passwords, keep them unique, use MFA, don’t trust any emails from strangers, hit the gym, delete facebook, unplug your computer, set it on fire, take a walk outside, renounce your citizenship, change your name, start a new life as a surly-yet-mysterious surf instructor in Portugal.