Okta Says Hackers Stole Data For All Customer Support Users (cnbc.com) 14
An anonymous reader quotes a report from CNBC: Hackers who compromised Okta's customer support system stole data from all of the cybersecurity firm's customer support users, Okta said in a letter to clients Tuesday, a far greater incursion than the company initially believed. The expanded scope opens those customers up to the risk of heightened attacks or phishing attempts, Okta warned. An Okta spokesperson told CNBC that customers in government or Department of Defense environments were not impacted by the breach. "We are working with a digital forensics firm to support our investigation and we will be sharing the report with customers upon completion. In addition, we will also notify individuals that have had their information downloaded," a spokesperson said in a statement to CNBC.
Nonetheless, Okta provides identity management solutions for thousands of small and large businesses, allowing them to give employees a single point of sign on. It also makes Okta a high-profile target for hackers, who can exploit vulnerabilities or misconfigurations to gain access to a slew of other targets. In the high profile attacks on MGM and Caesars, for example, threat actors used social engineering tactics to exploit IT help desks and target those company's Okta platforms. The direct and indirect losses from those two incidents exceeded $100 million, including a multi-million dollar ransom payment from Caesars.
Nonetheless, Okta provides identity management solutions for thousands of small and large businesses, allowing them to give employees a single point of sign on. It also makes Okta a high-profile target for hackers, who can exploit vulnerabilities or misconfigurations to gain access to a slew of other targets. In the high profile attacks on MGM and Caesars, for example, threat actors used social engineering tactics to exploit IT help desks and target those company's Okta platforms. The direct and indirect losses from those two incidents exceeded $100 million, including a multi-million dollar ransom payment from Caesars.
Customers in government or Department of Defense (Score:3)
"...customers in government or Department of Defense environments were not impacted by the breach..."
They've already lied about the scope, wanna bet they are still lying about this as well?
Re: Customers in government or Department of Defen (Score:2)
Not taking bets with zero chances...
Re: (Score:3)
First they say...
Hackers who compromised Okta's customer support system stole data from all of the cybersecurity firm's customer support users....
Then they say...
customers in government or Department of Defense environments were not impacted by the breach.
One of those things is not true, and I'm guessing it's the latter.
Re: (Score:2)
It is pretty common for platforms to offer government services on a separate implementation. Microsoft has 3 separate clouds for government alone.
Re: (Score:2)
"...customers in government or Department of Defense environments were not impacted by the breach..."
They've already lied about the scope, wanna bet they are still lying about this as well?
If you're familiar with Okta you would know it's a PoS product and chances are that no DoD agency or its contractors use this PoS. So that's a pretty safe statement.
Re: (Score:2)
Really? marketplace.fedramp.gov says otherwise.
Authorizing Entity (Moderate)
- Centers for Medicare & Medicaid Services
- Consumer Financial Protection Bureau
- Customs and Border Protection
- Cybersecurity & Infrastructure Security Agency
- Defense Information Systems Agency
- Department of State
- Department of the Navy
- Executive Office for United States Attorneys
- Federal Aviation Administration
- Federal Communications Commission
- Federal Retirement Thrift Investment Board
- Federal Student Aid
- Federal
Re: (Score:2)
Sadly, I am. Our gov't Agency uses it. It's crap.
Re: (Score:3)
No. That's just a totally separate environment. Whether it was compromised in a separate incident is a different issue, but their FedRAMP environments, both Moderate and High, are physically separated from their commercial one.
trade offs (Score:3)
Security is always a trade off between security and convenience. Okta is trying to put convenience into security, plus centralizing security for many organizations at once. Okta is a recipe for disaster.
Re: (Score:2)
Not only are they centralizing security, they are doing it using the web where attackers can plug away at them 24/7 from around the world. At least internal implementations require hackers to breach their networks first.
Quality (Score:2)
Security is an element of quality. If you use Okta you immediately see that visually, it's a slapped together product. If a company can't be bothered to fix the quality on things you can see, there is a huge chance that behind the scenes it's a mess too. I think that way of checking goes quite far, for instance 1password vs lastpass you can visually see which product has higher quality. Same with many others.
complete failure.. again and again (Score:4, Informative)
2022 breach 1: https://techcrunch.com/2022/03... [techcrunch.com]
2022 breach 2: https://techcrunch.com/2022/12... [techcrunch.com]
In their early 2022 breach, they were chided for lack of timely notification. They not only haven't learned to be be open with their investors and customers, but clearly they can't fix their problems. Companies need to stop using them as an "identify management" provider, or maybe a couple of class action lawsuits may be the only way to force them to fix their business.
Re: (Score:2)
Or if nothing else, force them out of business. No one needs flaky autho.
Re: (Score:2)
What are the alternatives? The only one I've tried is PingID, but their Android app seems to be marginally worse, and what reason do I have to be confident in their backend?