US access and identity management giant Okta says hackers stole data on all of its customers during a recent breach of its support systems, although it previously said only a fraction of customers were affected.
Okta confirmed in October that a hacker used a stolen credential to access its support case management system and steal session tokens uploaded by customers that could be used to break into Okta’s customer networks. Okta told TechCrunch at the time that about 1% of customers, or 134 organizations, were affected by the breach.
In a blog post published on Wednesday, Okta’s chief security officer, David Bradbury, said the company has since determined that all of its customers are affected by the breach. Okta spokesperson Cat Schermann wouldn’t give an exact number when asked by TechCrunch, but Okta has about 18,000 customers, according to the company’s website, including 1Password, Cloudflare, OpenAI and T-Mobile.
Bradbury said on Sept. 28, a hacker ran and downloaded a report that contained data belonging to “all users of Okta’s customer support system.” For 99.6% of customers, the hackers only had access to full names and email addresses, according to Okta, although in some cases they may have also accessed phone numbers, usernames and details of certain employee roles.
“While we have no direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor could use this information to target Okta customers through phishing or social engineering attacks,” Bradbury said. The infamous Scattered Spider hacking group, also known as Oktapus, has previously used various social engineering tactics to target the accounts of Okta customers, including Caesars Entertainment and MGM Resorts.
Okta advises all customers to use multi-factor authentication and use phishing-resistant authentications such as physical security keys.
Okta says its further analysis has also determined that the threat actor had access to “additional reports and support cases” containing the contact information of all Okta-certified users and certain Okta Customer Identity Cloud (CIC) customer contacts. Some Okta employee information was also included in those reports, but the company has not confirmed how many of its 6,000 employees are affected.
Okta says none of its government customers are affected by the breach and said its Auth0 support case management system was unaffected.
The identity of the threat actors behind the latest breach of Okta’s systems is not yet known.
This is the latest of many security incidents affecting Okta. Last year, the company admitted that hackers had stolen some of its source code. A separate incident earlier in the year saw hackers release screenshots showing access to the company’s internal network after an Okta company used for customer service was hacked.