Okta Breach Impacted All Customer Support Users—Not 1 Percent

In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, all of its customers had data stolen in the breach two months ago.

The original 1 percent estimate related to activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for troubleshooting. But the company admitted on Wednesday that its initial investigation had missed other malicious activity in which the attacker simply ran an automated query of the database that contains names and email addresses of “all Okta customer support system users.” This also included some Okta employee information.

While the attackers queried for more data than just names and email addresses—including company names, contact phone numbers, and the data of last login and last password changes—Okta says that “the majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6 percent of users in the report, the only contact information recorded is full name and email address.”

The only Okta users not impacted by the breach are high-sensitivity customers that must comply with the United States Federal Risk and Authorization Management Program or US Department of Defense Impact Level 4 restrictions. Okta provides a separate support platform for these customers.

Okta says it didn’t realize that all customers had been affected by the incident because, while its initial investigation had looked at the queries the attackers ran on the system, “the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation.” In the initial assessment, when Okta regenerated the report in question as part of retracing the attackers’ steps, it didn’t run an “unfiltered” report, which would have returned more results. This meant that in Okta’s initial analysis, there was a discrepancy between the size of the file the investigators downloaded and the size of the file the attackers had downloaded, as recorded in the company’s logs.

Okta did not immediately respond to WIRED’s requests for clarification on why it took a month for the company to run an unfiltered report and reconcile this inconsistency.