Okta took over two weeks to confirm a breach of its support systems after being contacted by one affected customer, cybersecurity company BeyondTrust – whose own systems stopped further exploitation after the attacker tried to gain administrative control over its Okta tenant.
The attacker meanwhile had pounced on a file uploaded by BeyondTrust to Okta's compromised systems within 30 minutes of it being shared.
During those weeks unknown attackers used their access to Okta’s support systems to launch exploitation attempts (some successful) against a wide range of Okta customers – BeyondTrust, Cloudflare, and 1Password have all reported in admirable detail on their experiences this week.
The reports come as concern mounts of Okta's security posture including why it its support systems were not better protected and why they were housing so many "unsanitised" HAR files from customers containing credentials that let an attacker pivot to customers' Okta instances.
