When KrebsOnSecurity broke the information on Oct. 20, 2023 that id and authentication big Okta had suffered a breach in its buyer help division, Okta mentioned the intrusion allowed hackers to steal delicate information from fewer than one p.c of its 18,000+ clients. However in the present day, Okta revised that affect assertion, saying the attackers additionally stole the title and e mail deal with for practically all of its buyer help customers.

Okta acknowledged final month that for a number of weeks starting in late September 2023, intruders had entry to its buyer help case administration system. That entry allowed the hackers to steal authentication tokens from some Okta clients, which the attackers may then use to make modifications to buyer accounts, resembling including or modifying approved customers.

In its preliminary incident reviews concerning the breach, Okta mentioned the hackers gained unauthorized entry to information inside Okta’s buyer help system related to 134 Okta clients, or lower than 1% of Okta’s buyer base.

However in an up to date assertion printed early this morning, Okta mentioned it decided the intruders additionally stole the names and e mail addresses of all Okta buyer help system customers.

“All Okta Workforce Identification Cloud (WIC) and Buyer Identification Resolution (CIS) clients are impacted besides clients in our FedRamp Excessive and DoD IL4 environments (these environments use a separate help system NOT accessed by the risk actor),” Okta’s advisory states. “The Auth0/CIC help case administration system was additionally not impacted by this incident.”

Okta mentioned that for practically 97 p.c of customers, the one contact data uncovered was full title and e mail deal with. Which means about three p.c of Okta buyer help accounts had a number of of the next information fields uncovered (along with e mail deal with and title): final login; username; cellphone quantity; SAML federation ID; firm title; job function; consumer kind; date of final password change or reset.

Okta notes that numerous the uncovered accounts belong to Okta directors — IT folks liable for integrating Okta’s authentication expertise inside buyer environments — and that these people needs to be on guard for focused phishing assaults.

“Many customers of the shopper help system are Okta directors,” Okta identified. “It’s vital that these customers have multi-factor authentication (MFA) enrolled to guard not solely the shopper help system, but additionally to safe entry to their Okta admin console(s).”

Whereas it could appear utterly bonkers that some corporations enable their IT employees to function company-wide authentication techniques utilizing an Okta administrator account that isn’t protected with MFA, Okta mentioned absolutely six p.c of its clients (greater than 1,000) persist on this harmful apply.

In a earlier disclosure on Nov. 3, Okta blamed the intrusion on an worker who saved the credentials for a service account in Okta’s buyer help infrastructure to their private Google account, and mentioned it was possible these credentials had been stolen when the worker’s private machine utilizing the identical Google account was compromised.

In contrast to normal consumer accounts, that are accessed by people, service accounts are principally reserved for automating machine-to-machine capabilities, resembling performing information backups or antivirus scans each night time at a selected time. For that reason, they’ll’t be locked down with multifactor authentication the best way consumer accounts can.

Dan Goodin over at Ars Technica reckons this explains why MFA wasn’t arrange on the compromised Okta service account. However as he rightly level out, if a transgression by a single worker breaches your community, you’re doing it unsuitable.

“Okta ought to have put entry controls in place apart from a easy password to restrict who or what may log in to the service account,” Goodin wrote on Nov. 4. “A technique of doing that is to place a restrict or circumstances on the IP addresses that may join. One other is to recurrently rotate entry tokens used to authenticate to service accounts. And, after all, it ought to have been not possible for workers to be logged in to private accounts on a piece machine. These and different precautions are the accountability of senior folks inside Okta.”

Goodin advised that individuals who wish to delve additional into numerous approaches for securing service accounts ought to learn this thread on Mastodon.

“A good variety of the contributions come from safety professionals with in depth expertise working in delicate cloud environments,” Goodin wrote.