Id companies supplier Okta has disclosed that it detected “further menace actor exercise” in reference to the October 2023 breach of its help case administration system.
“The menace actor downloaded the names and e mail addresses of all Okta buyer help system customers,” the corporate mentioned in an announcement shared with The Hacker Information.
“All Okta Workforce Id Cloud (WIC) and Buyer Id Resolution (CIS) clients are impacted besides clients in our FedRamp Excessive and DoD IL4 environments (these environments use a separate help system NOT accessed by the menace actor). The Auth0/CIC help case administration system was not impacted by this incident.”
Information of the expanded scope of the breach was first reported by Bloomberg.
The corporate additionally advised the publication that whereas it doesn’t have any proof of the stolen data being actively misused, it has taken the step of notifying all clients of potential phishing and social engineering dangers.
It additionally acknowledged that it “pushed new security options to our platforms and supplied clients with particular suggestions to defend towards potential focused assaults towards their Okta directors.”
Okta, which has enlisted the assistance of a digital forensics agency to help its investigation, additional mentioned it “may also notify people which have had their data downloaded.”
The event comes greater than three weeks after the identification and authentication administration supplier mentioned the breach, which came about between September 28 to October 17, 2023, affected 1% – i.e., 134 – of its 18,400 clients.
The identification of the menace actors behind the assault towards Okta’s techniques is presently not identified, though a infamous cybercrime group known as Scattered Spider has focused the corporate as not too long ago as August 2023 to acquire elevated administrator permissions by pulling off refined social engineering assaults.
In line with a report printed by ReliaQuest final week, Scattered Spider infiltrated an unnamed firm and gained entry to an IT administrator’s account through Okta single sign-on (SSO), adopted by laterally transferring from the identity-as-a-service (IDaaS) supplier to their on-premises belongings in lower than one hour.
The formidable and nimble adversary, in current months, has additionally advanced into an affiliate for the BlackCat ransomware operation, infiltrating cloud and on-premises environments to deploy file-encrypting malware for producing illicit income.
“The group’s ongoing exercise is a testomony to the capabilities of a extremely expert menace actor or group having an intricate understanding of cloud and on-premises environments, enabling them to navigate with sophistication,” ReliaQuest researcher James Xiang mentioned.