Skip to main content
J
External Link
Okta’s breach investigation missed key information for two weeks.

In a Friday news dump blog post, Okta chief security officer David Bradbury revealed that a threat actor had access to files for 134 customers. Stolen session tokens from support logs were used to hijack sessions for 5 Okta customers, of which three have been publicly identified: 1Password (which first alerted Okta of the problem), BeyondTrust, and Cloudflare.

For a period of 14 days, while actively investigating, Okta did not identify suspicious downloads in our logs. When a user opens and views files attached to a support case, a specific log event type and ID is generated tied to that file. If a user instead navigates directly to the Files tab in the customer support system, as the threat actor did in this attack, they will instead generate an entirely different log event with a different record ID.

Not a great look for an identity management company that is supposed to prevent this exact problem.