The Okta Breach: Part ll
A Refresher
If only breaches could end at their first reported affected numbers.
For example, the LastPass breach(es) which totaled over 25 million users affected.
Let’s not forget Yahoo’s initial reports of the 2013 breach, which they reported in 2016, to then later be reported in August 2017 that every single existing account was impacted.
The Topic at Hand
Now take the Okta breach, reported on October 20.
We discussed this breach in a previous post. At the time, all the known information stated that only ~1% (134) of Okta accounts were affected.
Well, upon further investigation, it turns out it was all of their customers. It seems they had a filter set when they ran the query that the attackers ran. They noticed the filter and reran it, and it returned info about all the customer support accounts.
On the bright side, it seems most of this information returned and downloaded by the attackers was blank. Except for names and email addresses. But who knows at this point. This could be good time to remember there's a difference between affected vs impacted.
From Okta’s latest update, they are "working with a third-party digital forensics firm to validate our findings and we will be sharing the report with customers upon completion."
The thing about their customer support accounts is that every customer admin account automatically gets one, (it just makes sense). These make for juicy target accounts for phishing.
With information about all of these customers, it makes for a lengthy supply of recon for future targeted attacks.
If you have strong phishing-resistant MFA in place, you won’t be an easy target for this.
Wrapping Up
Looking ahead, I see this being the de-facto way attackers operate. Targeting the “picks and shovels” players, and allowing them to open the door for the others.
This has become a lot more common in recent years, but this could potentially become the only way. Leading to an inevitable breach at another big third-party service provider.
Despite all of this, Security is still our responsibility and all worthwhile. We’ll go deeper into this responsibility and its implications in a future post.
I am convinced that there are only two types of companies: those that have been hacked and those that will be. - Robert Mueller