Okta Didn’t Acknowledge Breach For More Than Two Weeks, Customer Says

A customer, cybersecurity vendor BeyondTrust, said that it ‘raised our concerns of a breach to Okta’ in early October, but the breach was only acknowledged by Okta on Friday.


Okta did not acknowledge a breach of its support system for more than two weeks after concerns were raised about the incident, according to cybersecurity vendor BeyondTrust, which said it discovered the breach and is among the impacted customers.

On Friday, Okta disclosed that an attacker was able to view data belonging to certain customers, through using a stolen credential to access Okta’s support case management system.

[Related: Hackers Hit The IT Industry: 12 Companies Targeted In 2023]

Sponsored post

BeyondTrust said in a post Friday that it initially detected the attack and informed Okta about it.

“We raised our concerns of a breach to Okta on October 2nd,” BeyondTrust said. “Having received no acknowledgement from Okta of a possible breach, we persisted with escalations within Okta until October 19th when Okta security leadership notified us that they had indeed experienced a breach and we were one of their affected customers.”

In response to an inquiry by CRN, Okta said in a statement Friday that it “recently” notified customers about the incident, and highlighted several details that had been shared earlier Friday in a post by Okta Chief Security Officer David Bradbury.

Okta reiterated in its statement to CRN that the affected support system is separate from the company’s identity service, and that the identity service is “fully operational and has not been impacted.”

“We have notified impacted customers and taken measures to protect all our customers,” the company said in the statement.

Okta has not disclosed the number of impacted customers or types of data that may have been viewed. Journalist Brian Krebs reported Friday that he was told by Okta that a “very small subset” of its 18,000 customers were impacted.

The identity security vendor also hasn’t provided its own timeline for the breach.

However, the timeline shared by BeyondTrust suggests that Okta did not acknowledge the breach for more than two weeks after being informed about it.

“On October 2nd, 2023, the BeyondTrust security teams detected an identity-centric attack on an in-house Okta administrator account,” the company said in its post. “We immediately detected and remediated the attack through our own Identity Security tools, resulting in no impact or exposure to BeyondTrust’s infrastructure or to our customers. The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers.”

Okta’s stock price dropped 11.6 percent, to $75.57 a share, on Friday following the disclosure of the breach.

Lapsus$ Incident

In 2022, Okta suffered reputational damage as a result of not disclosing a breach of a third-party Okta support provider. The attack occurred in January 2022, but Okta did not disclose the breach until after the hacker group Lapsus$ had posted on Telegram about the incident in March 2022.

While initially thought that the threat actor may have accessed data from hundreds of customers, the company subsequently said an investigation found that only two Okta customers were impacted.

Still, Okta Co-Founder and CEO Todd McKinnon later said in an interview that it was a misstep to not disclose that there was an incident sooner.

“If that happens in January, customers can’t be finding out about it in March,” McKinnon said in May 2022.

‘Unauthorized Access’

In the Okta post Friday, Bradbury said that a stolen credential was used by an attacker to gain “unauthorized access” to the support system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Bradbury wrote.

Since the attack was uncovered, Okta has “worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” Bradbury said in the post.