Cybersecurity firm Okta said on Tuesday hackers stole data from all users of its customer support system in a network breach two months ago. That’s a much greater incursion than the company initially believed, and it exposes those customers to heightened attacks or phishing attempts, Okta warned. The San Francisco-based company, which provides single sign-on and multifactor authentication services for companies and organizations, including JetBlue, T-Mobile, FedEx, Major League Baseball, and the Defense Department, said it was working with a digital forensics firm to investigate.
In a blog post, Chief Security Officer David Bradbury said the bad actors had access to files used in troubleshooting sessions with support engineers for customers. Those files, known as HTTP Archive or HAR files, record customer browser activity so support staff can replicate it for troubleshooting purposes. Bad actors took advantage of that access to obtain active session cookies and API keys, which let them impersonate real users and gain access to sensitive systems and data. “The attackers were able to view and hijack the credentials and active sessions of 134 customers,” he said. Three customers were publicly identified as BeyondTrust, 1Password, and Cloudflare.
Bradbury said the company determined in its investigation that the attackers downloaded a report containing the names and email addresses of all clients that use Okta’s customer support system. He said the company had notified those clients who were affected. Okta also advised those affected to change their passwords and enable two-factor authentication wherever possible.
Okta, which competes with Microsoft, PingID, and Duo, has been hit by several cybersecurity incidents in recent years. The statement blamed the latest attack on “new lateral movement and defense evasion methods” being utilized by the threat actor.
Shares in the company were down more than 11% on Friday. The stock is scheduled to report earnings after market close Wednesday.