Identity service provider Okta It disclosed that it had detected “increased threat actor activity” in connection with the October 2023 breach of its support case management system.
“The threat actor downloaded the names and email addresses of all users of Okta’s customer support system,” the company said in a statement shared with The Hacker News.
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are affected except for customers in our FedRamp High and DoD IL4 environments (these environments use a different support system that NOT accessible to the threat actor).Auth0 support / CIC The case management system is not affected by this incident.”
The news of the expanded scope of the offense is first reported via Bloomberg.
The company also told the publication that although it does not have any evidence of stolen information being actively abused, it has taken the step of informing all customers of the potential dangers of phishing and social engineering.
It also stated that it “is pushing new security features on our platforms and providing customers with specific recommendations to protect against potential targeted attacks against their Okta administrators.”
Okta, which has enlisted the help of a digital forensics firm to support its investigation, further said it will “also notify individuals that their information has been downloaded.”
The development comes more than three weeks after the identity management and authentication provider said the breach, which occurred between September 28 and October 17, 2023, affected 1% – ie, 134 – of 18,400 users. its customers.
The identity of the threat actors behind the attack against Okta’s systems is currently unknown, although a notorious cybercrime group called Scattered Spider targeted the company in August 2023 to obtain high administrator permissions by removing sophisticated social engineering attacks.
According to a report published by ReliaQuest last week, Scattered Spider infiltrated an unnamed company and accessed the IT administrator’s account through Okta single sign-on (SSO), followed by a later transfer from of the identity-as-a-service (IDaaS) provider to their on-premise assets in less than an hour.
The formidable and agile enemy, in recent months, has also become an affiliate for the BlackCat ransomware operation, infiltrating the cloud and surrounding areas to deploy file-encrypting malware for the creation of bad income.
“The team’s ongoing activity is a testament to the capabilities of a highly skilled actor or team that has a sophisticated understanding of the cloud and its surrounding areas, enabling them to navigate with efficiency,” ReliaQuest researcher James Xiang SAYS.