Oktas shares slumped on Friday after it disclosed a breach of its customer support system that allowed some hackers to view files uploaded by specific clients, pushing the software firm’s stock down about 12%. The company did not specify the customers affected or the nature of the compromised data. It did say the hacker gained access to its systems by using a stolen credential at a third-party subprocessor, which it identified as a Miami-based contact center provider called Sykes. The company said the hacker could log in to its system and download customer data. Still, it could not access its two-factor authentication service or customers’ other technologies.
The company’s chief security officer, David Bradbury, said further analysis of the compromise had downgraded earlier assessments of the potential impact. He also acknowledged that the company was “a little off” with its initial disclosure of the breach, which he described as a “misstep.”
But he also pointed out that it had extensively investigated the incident and its impact on customers to ensure their data was secure. He said its forensics work “clearly indicates that the breach was not nearly as significant as was originally believed.”
Some analysts and customers were skeptical. In a podcast for cybersecurity publication Recorded Future, security analyst Marc Maiffret noted that the attacker could replay browser recordings of a session logged by an administrator and leverage information about the user’s identity to gain lateral movement within the network. He also questioned why the incident did not trigger an alert for Okta users and how the hacker obtained the stolen credentials in the first place.
Bradbury addressed those concerns in a blog post. He wrote that the attack “limited the amount of data accessed by the adversary to the files uploaded via the support case management system, and only those uploaded by customers with the highest sensitivity.” He added that the attacker did not access customer data stored in other Okta systems or the company’s two-factor authentication service.
He also pointed out that the data was only accessible to a support engineer, who could not reset passwords or see other customer activity. He emphasized that the attack involved only one privileged account at Sykes, which Sitel, not Okta, owns.
Still, the damage was done. Okta has a large customer base, including FedEx, Zoom, Lululemon, and JetBlue. It is a leading authentication hub that helps companies manage their access to many other technology platforms. Its customers must trust that they can authenticate and use those other systems securely, so they have to weigh the costs of this breach against the benefits of having a trustworthy and robust security solution. It will take time for some customers to regain confidence in Okta’s ability to protect their systems and data. Others may start looking elsewhere. And it could become more challenging for the company to acquire new business as other vendors offer more secure alternatives.