Okta Discloses Second Customer-Support Breach in Two Years

Identity-as-a-service provider Okta confirmed today that an attacker accessed support-case files for "all customers" of its main support case management system over a roughly 19-day window beginning September 28, expanding earlier disclosures that had limited the impact to approximately 1 percent of customers.

The compromised support cases include HAR (HTTP Archive) files that customers had uploaded to assist Okta engineers in troubleshooting. HAR files frequently contain session tokens, cookies, and other sensitive authentication data captured during browser-debugging sessions.

The breach was first detected after BeyondTrust noticed an attacker attempting to use a stolen session token to access its Okta tenant; Cloudflare and 1Password both subsequently reported similar attempted lateral-movement attempts using session tokens believed to have been harvested from the Okta support system.

"For a long time the HAR file was the safest debugging artifact you could send to a vendor," said Brian Krebs in a post about the incident. "Okta's breach upends that assumption, and underscores that customer-support systems remain the soft underbelly of even the most security-conscious identity providers."

Okta CEO Todd McKinnon told investors the company had implemented session-token binding to client networks, accelerated migration of support to a new tenant with hardened controls, and now strips authentication tokens from HAR uploads at the support-portal level. The company's stock fell approximately 11 percent on the expanded disclosure.

This is Okta's second customer-support-related breach in less than two years, following the 2022 Lapsus$ compromise via Sitel.