On October 19, Okta advised customers of a security incident where a threat actor gained access to Okta’s customer support system (also known as the Okta Help Center) between September 28, 2023 and October 17, 2023. Once Okta detected the unauthorized access, we stopped the attack and prevented further unauthorized access, which we detailed in our Root Cause Analysis (RCA) on November 3, 2023. We are now sharing new information after a detailed review of all actions performed by the threat actor. Please note we will be posting this incident update on the Okta Security blog on November 29, 2023. Until such time, please treat this information as confidential.
We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.
The threat actor ran a report on September 28, 2023 at 15:06 UTC that contained the following fields for each user in Okta’s customer support system:
Created Date | Last Login | Full Name | Username | Email | Company Name | User Type | Address | [Date of] Last Password Change or Reset | Role: Name | Role: Description | Phone | Mobile | Time Zone | SAML Federation ID
The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address.
Why it matters: While we have not seen direct evidence that the threat actor is using this list to launch phishing attacks against support system users, phishing attacks are a constant threat. It’s important that customers use strong MFA.
Okta customers sign-in to Okta’s customer support system using the same accounts they use in their Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s). For more information on when users are created in the customer support system, see the Knowledge Base article: How to Manage Okta Help Center User Accounts.
How to view your data: We have created a self-service report in our customer support system so that you can immediately access the data downloaded by the threat actor that is relevant to your Okta account. The top of the Okta Help Center (support.okta.com) now displays a banner where Super Administrators in your org can obtain the full report.
Okta’s recommendation: Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users. While 94% of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security. Please refer to product documentation to enable MFA for the admin console (Classic or OIE).
How we discovered this
Following the publication of the RCA, Okta Security reviewed our initial analysis of the actions that the threat actor performed, including manually recreating the reports that the threat actor ran within the customer support system. We identified that the file size of one particular report downloaded by the threat actor was larger than the file we generated during our initial review. After additional analysis, we concluded that the downloaded report contained a list of all customer support system users. The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report. Our November review identified that if the filters were removed from the templated report, the downloaded file was considerably larger - and more closely matched the size of the file download logged in our security telemetry.
We also identified additional reports and support cases that the threat actor accessed which contain contact information of all Okta certified users and some Okta Customer Identity Cloud (CIC) customer contacts and other information. Some Okta employee information was also included in these reports. This contact information does not include user credentials or sensitive personal data.
We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion.
Implementing recommended best practices
We will continue to partner with you to implement recommended best practices for securing your Okta environments, including:
Multi-Factor Authentication (MFA): We strongly recommend all Okta customers secure admin access using MFA at a minimum. We also strongly encourage customers to enroll administrative users in phishing resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all administrative applications. Please refer to product documentation to enable MFA for the admin console (Classic or OIE).
Admin Session Binding: As communicated in the Security Incident RCA, customers can now enable an Early Access feature in Okta which requires admins to reauthenticate if their session is reused from an IP address with a different ASN (Autonomous System Number). Okta strongly recommends customers enable this feature to further secure admin sessions.
Admin Session Timeout: To align with NIST AAL3 guidelines and increase the security posture of every customer, Okta is introducing Admin Console timeouts which will be set to a default of 12-hour session duration and a 15-minute idle time. Customers will have the option to edit these settings . This will be available as an Early Access feature starting November 29th for preview orgs and December 4th for production orgs. The feature will be available for all production orgs by January 8th, 2024. An email was sent to all Super Admins regarding this change on November 27th, and a copy of that communication can be found in the Knowledge Base article: Admin Session Lifetime/Idle Timeout Security Enhancements.
Phishing Awareness: In addition, Okta customers should be vigilant of phishing attempts that target their employees and especially wary of social engineering attempts that target their IT Help Desks and related service providers. We recommend Okta customers implement our industry-leading, phishing-resistant methods for enrollment, authentication, and recovery. Please see Okta Solutions for Phishing Resistance for more information on protecting your organization from phishing. We also strongly recommend that customers review their IT Help Desk verification processes and ensure that appropriate checks, such as visual verification, are performed before performing high risk actions such as password or factor resets on privileged accounts.
For additional information, please refer to the FAQs below.
We apologize for the inconvenience and concern surrounding this incident. We greatly value you as our customer and we thank you for the continued partnership.
Frequently Asked Questions for Customers and Partners
Q1: What happened?
Okta is providing an important security update and sharing new information as part of the recent customer support system security incident in October 2023. A brief summary is that we have determined that the threat actor obtained the contact information of our customer support system users across a significant portion of our customers, and we are communicating to those customers that there is an increased risk of phishing and social engineering attacks directed at these users. (This contact information does not include user credentials or sensitive personal data.) Additional information communicated previously about this security incident is available in our two prior blog posts: Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation (November 3, 2023) and Tracking Unauthorized Access to Okta's Support System (October 20, 2023).
Q2: Is the Okta service secure and operational?
Q3: Does this security incident impact other Okta products?
No. This security incident involved unauthorized access to our customer support system. Many users of the customer support system are Okta administrators so it is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).
Q4: Is Okta observing threat actors using this information to actively attack its customers? Is that why Okta is sharing this security update?
We do not have direct knowledge or evidence that this information is being actively exploited for phishing or social engineering. We are sharing this proactively because these types of threats are pervasive and customers should protect themselves.
Q5: Do customers need to rotate passwords or keys in response to this additional disclosure?
There were no credentials or other secrets contained in the reports accessed by the threat actor. Customers with passwords or session tokens exposed in this incident were already informed in October 2023.
Q6: Has Okta engaged a third-party for this security investigation?
Yes. We are working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion. To ensure the third-party firm has sufficient time to complete their investigation, there is not an estimated completion date at this stage.
Q7: Is a threat actor extorting your organization?
Q8: Will Okta provide the identity of the threat actor for this incident?
No, Okta will not publicly attribute the threat actor responsible for this security incident.
Q9: Where can I find more information to understand the downloaded report as well as the data within Okta’s customer support system? For example, does the report include role information, such as administrators, that use the customer support system?
Important Note: All information in the downloaded report is from fields within Okta’s customer support system. The report does not contain information about which users are Okta Admins. More information about the downloaded report and customer support system data is available in our Knowledge Base article: Overview of the Threat Actor Contact Report.
Q10: How will Okta avoid a similar security incident in the future?
Our root cause and remediation blog update on November 3, 2023, Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation, lists the security improvements Okta has made following this incident.