All Customer Support Users Affected in Okta Breach
Data Breach
Okta, the San Francisco-based identity and access management cloud software company, suffered a data breach which has impacted all of their customer support system users. The breach, which occurred two months ago back in September, was reported to customers in October and a recent update was released by the company to its users after they found out that hackers downloaded report data which included personal identifiable information (PII) such as names and email addresses, and in some instances, additional information like usernames and phone numbers. The initial reporting of the incident by Okta stated that the impact of the breach was approximately 1% of its customer base or 134 organizations; however, the specific report stolen by these malicious actors contained data for all Okta clients that used its customer support system.
David Bradbury is the Okta chief security officer and in a statement related to the breach, he said, “While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks.” The company advises all customers to be vigilant when opening emails so as to avoid phishing attempts perpetrated by the hacking group which stole this information. Okta goes on to direct that the use of multi-factor authentication – a service which Okta provides to its customers as well – be implemented at this time in order to reduce the likelihood of compromising any additional data or devices.
Among Okta’s notable customers is T-Mobile, a mobile service provider which has suffered a whopping eight data breaches since 2018. Cybersecurity is an essential element for all businesses and users alike, and as this Okta breach shows, even companies which are security-centric can fall victim to cyber attacks. Entities which carry PII and other sensitive information need to do what they can to prevent an attack and furthermore, have strategies to deal with an incident quickly whenever one might strike in order to reduce the overall impact felt at the company and by its associated members and customers. Stress testing your network and systems can be a useful exercise to assist in finding vulnerabilities in your defenses; then be sure to patch these weak spots to avoid leaving open entry points for nefarious groups to exploit in the future. For users of any website, protecting your own data is crucial as well. Be sure to practice strong password hygiene – using different passwords for every login you have and making each one strong via the use of varying capitalization, characters, and numbers – and implement multi-factor authentication – typically in the form of a one-time code emailed or texted to an associated email address or phone number – whenever possible.
