Okta security incident history - let's learn from other's mishaps

published: Oct. 27, 2023

Take action: One incident can happen to anyone. Multiple incidents, especially of a similar kind indicate a systemic problem. Follow the metric of incidents at your third party providers and be very critical when evaluating them. If you are a third party provider, be ready for radical and painful changes after an incident - to prevent a repeat of the incident.

Learn More

On 20th of October, Okta - one of the largest identity management platforms, reported of security breach in its customer support system. The company clarified that a specific subset of its clients were impacted by this intrusion. Out of Okta's 18,400 clientele, roughly 1% (about 184 customers) were informed about the breach.

Given the prevalence of usage of Okta systems, any compromise poses a risk to it's customers. In this particular instance mulitple very large customers have detected issues that were linked to the incident:

  • 1Password, alerted Okta about some unusual activity.
  • BeyondTrust, aeported abnormal behavior in its Okta administrative account
  • Cloudflare, an internet infrastructure firm, also reported a related incident in their Okta systems.

As with any system, there is always a risk of a security incident. Given that Okta caters to a vast and notable customer base with identity and authentication services they are a prime target for attacks.

But this is not the first time Okta has slipped up. In 2022 Okta was impacted by three incidents, one of which is very similar to the latest:

  • In December 2022, Okta's source code repository was compromised and hackers managed to steal their software source code.
  • In August 2022, Okta was one of the victims to a hack at Twillio as a third party provider in which the SSO system of Okta was impersonated and then SMS messages with SSO codes processed by Twillio were intercepted.
  • In March 2022, Okta's third party support providers were compromised, subsequently exposing 366 corporate customers, or about 2.5% of its customer base. Even worse, Okta bungled the communication to customers by delaying notification for months and then some customers learned of the incident from social media.

While it's never easy to speak about an organization security posture as an outsider, four security incidents within the span of two years is a significant metric. Okta hasn't provided any details on security process improvements after the incidents, so it's not clear what controls are put in place.

There are two key elements to take away from the series of incidents at Okta:

  1. If you are managing a service and it has an incident, stop and reconsider your current work. Accept changes in processes that may seem radical - even if they significantly reduce comfort. Because it's *much* better than doing the same thing and expecting different results.
  2. Third party service providers are one of the highest risks to an organization. Today we are used to outsourcing and using off-the-shelf products and services to speed up our delivery. But we give an implicit almost infinite trust to such providers. Approach a third service provider with a huge grain of salt, and consider alternatives all the time - because at some point in the future you may be forced to change them because they have too many or too large incidents.

Be sure not to fall in the trap of certificates and compliance - follow the suppliers for incidents throughout the year, those are much better indicators than all the certificates anyone can achieve.


Okta security incident history - let's learn from other's mishaps