Okta has refuted claims made by a cybercriminal that its company data was leaked following a cyberattack back in October 2023. The San Francisco-based cloud identity and access management solutions provider has denied any connection to the alleged stolen files shared on a hacker forum by a threat actor using the alias ‘Ddarknotevil’.
The incident in October 2023 involved hackers breaching Okta’s support system using stolen credentials, which allowed them to steal cookies and authentication information for some customers. Following an internal investigation that concluded in late November, it was determined that all users of the customer support system were affected by the breach. This heightened the risk of potential breaches for multiple Okta clients, with one notable case being a compromise of Cloudflare’s self-hosted Atlassian servers where hackers used access tokens obtained during the Okta breach.
Over the weekend, ‘Ddarknotevil’ claimed to be releasing an Okta Database containing information of 3,800 customers that was allegedly stolen during the breach last year. The leaked data reportedly includes user IDs, full names, company names, office addresses, phone numbers, email addresses, positions/roles, and other personal information.
When contacted by BleepingComputer regarding the claims, Okta responded by stating that the data does not belong to them and appears to be sourced from public information available on the internet. An Okta spokesperson clarified that the leaked data is not associated with the October 2023 security incident and highlighted that some fields in the data have dates from over a decade ago, suggesting that it may have been aggregated from public sources online.
Furthermore, Okta’s IT team conducted a thorough investigation of all systems over the weekend and found no evidence of a breach. Cyber-intelligence firm KELA also examined the shared data and confirmed independently that it does not belong to Okta, but rather to a different company that experienced a breach in July 2023.
KELA’s analysis revealed that the data shared by ‘Ddarknotevil’ aligns with a dump from July 2023 by the threat actor ‘IntelBroker’, who claimed to have obtained it from the National Defense Information Sharing and Analysis Center. This information supports Okta’s assertion that the leaked data does not pertain to their organization and is likely from a separate breach incident earlier in the year.
In light of these developments, Okta continues to prioritize data security and remains vigilant in safeguarding customer information from cyber threats. The company’s proactive response to the situation underscores its commitment to protecting user data and maintaining trust with its clients amid evolving cybersecurity challenges.