However, the latest update by Bradbury clarifies the threat actor ran and downloaded reports containing full names and email addresses of all Okta customers which include all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers.
Okta’s Auth0/CIC support case management system, along with its FedRamp High and DoD IL4 environments (environments using a different support system) are not impacted, Bradbury added.
The reason for the discrepancy in earlier analysis was the assumption that the threat actor had run a filtered view of the report they had access to. An “unfiltered run” by the threat actor was later confirmed as it resulted in a considerably larger file, the one matching closely with the download logged in Okta’s security telemetry.
While Okta has no direct knowledge or evidence of its active exploitation yet, it warns against the use of this information to target Okta customers via phishing or social engineering attacks.
Okta recommends MFA, better session controls
To ward off exploits, Okta has recommended that all its customers employ multifactor authentication (MFA) and consider the use of phishing-resistant authenticators to further enhance their security. A few such authenticators include Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards.
“Okta’s hack is a serious issue, and it highlights the importance of two-factor authentication,” said Pareekh Jain, chief analyst at Pareekh Consulting. “Even working with big software vendors, users can not be fully sure about security. So, both enterprises and consumers should enable TFA to protect themselves against phishing.”