TL;DR : Okta recently determined that data pertaining to users of their support system were stolen by a threat actor during an incident identified by Okta in October.


The details:
Okta had identified a security incident in October and have continued to investigate since that time. In a recent analysis, Okta determined that the threat actor who gained access to its systems was able to run a report which contained information submitted by users of the Okta customer support system. The report contained information submitted by customers pertaining to their name, job role, contact information, address, and other similar details.

These details–including names, phone numbers, and addresses–can and do get used in targeted social engineering attempts. It allows an attacker to be aware of who’s who in the security team at the potential targeted organizations.


Why we are telling you:

At Expel, we recognize user identity as a major target of threat actors. This incident impacts almost all of Okta’s customers. Expel uses Okta to secure our users and many of our customers do too. Securing user access is essential to protecting our customers’ organizations.


What we’re doing:

We have remained attentive to this activity and are confident that we are able to detect related activity with our current detections. 


Due to the scope and nature of this threat, we are reviewing our Okta detection strategy for opportunities to modify alert severities in an effort to highlight activity resulting from abuse of the stolen information.

Expel is considering ways to ensure our own administrators are prepared against potential social engineering attempts.

Immediate recommendations:

  • Ensure your Okta administrator accounts are secured with MFA.


Strategic recommendations:

  • Test security controls related to user and administrator password resets. Test controls for different methods such as self-service password resets and calls to the help desk.


More Info/ References: