Okta breach includes theft of data on nearly all help desk users, including some feds

Identity management company Okta said in a Wednesday blog post that hackers stole a report that included names and email addresses of users of the company's customer support system.

The company said that FedRamp High and Defense Department Impact-Level 4 customers were not affected by the breach, but that data on all other Workforce Identity Cloud and Customer Identity Solution customers was exfiltrated in the hack. This includes users of Okta's FedRAMP Moderate and DOD IL2 systems, the company told Nextgov/FCW in an emailed statement.

FedRAMP High and DOD IL4 customers have a separate support platform, according to Okta.

Initially Okta said that information on 1% of its customers was compromised. In a subsequent letter to customers, the company indicated that more than 99% of customers had at least an email and name compromised in the hack.

Okta is a leading provider of identity authentication services. It counts dozens of federal agencies among its customers, including the Department of Veterans Affairs, the Centers for Medicare and Medicaid Services, the Department of Defense, Treasury, NASA and more, according to federal contracting data. On the corporate side, Okta provides services to FedEx, Zoom, JetBlue and other customers, according to its website.

The stolen data includes customer usernames, emails, phone numbers, dates of last login and other information. The hack, which was discovered in October, affected customer support systems, not Okta's core identity management service. The company still urged customers to be wary, because the purloined information could be used to target impacted individuals with email and telephone scams.

"While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks," David Bradbury, the company's chief security officer, said in the blog post.

The company advised customers to implement multifactor authentication and urged users with administrative authority over client systems to use phishing resistant authenticators, like a FIDO-compliant token such as a Yubikey or smartcards like the PIV and CAC cards used by federal and defense customers. The company also recommended additional measures, detailed in Bradbury's blog post, to secure administrative accounts.

Okta is continuing to investigate. Bradbury said the company is "working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion." In a statement shared with Nextgov/FCW, the company said it would also reach out to individuals whose information was downloaded in the breach.