Okta, a provider of identity services, has recently disclosed that there has been further activity from the threat actor responsible for the breach of its support case management system in October 2023. The company revealed that the threat actor was able to access the names and email addresses of all Okta customer support system users, impacting all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, with the exception of those in specific environments.
In addition to this, the threat actor also gained access to reports containing contact information of all Okta certified users, some Okta Customer Identity Cloud (CIC) customers, and unspecified Okta employee information. Notably, Okta emphasized that the data does not contain user credentials or sensitive personal data.
Although there is no evidence of the stolen information being actively used for malicious purposes, Okta has taken proactive steps to notify all customers of potential phishing and social engineering risks. The company has also implemented new security features on its platforms and provided customers with specific recommendations to defend against potential targeted attacks.
Okta has engaged a digital forensics firm to support its investigation, and the company has stated that it will notify individuals who have had their information downloaded. This recent disclosure comes after Okta initially reported that the breach had affected 1% of its customers.
The identity of the threat actors behind the attack is currently unknown, but it’s worth noting that a cybercrime group called Scattered Spider targeted Okta in the past, using sophisticated social engineering attacks to obtain elevated administrator permissions.
According to a report by ReliaQuest, Scattered Spider has shown the ability to infiltrate cloud and on-premises environments and has evolved into an affiliate for the BlackCat ransomware operation, deploying file-encrypting malware for profit.
ReliaQuest researcher James Xiang stated, “The group’s ongoing activity is a testament to the capabilities of a highly skilled threat actor or group having an intricate understanding of cloud and on-premises environments, enabling them to navigate with sophistication.”
As a result of this disclosure, Okta customers are urged to remain vigilant and follow the company’s specific recommendations to protect against potential targeted attacks. Okta’s commitment to transparency and proactive communication with customers underscores its dedication to addressing and mitigating the impact of the breach.
Lastly, don’t forget to follow us on Twitter and LinkedIn for exclusive content and updates.