back to article Okta October breach affected 134 orgs, biz admits

Okta has confirmed details of its October breach, reporting that the incident led to the compromise of files belonging to 134 customers, "or less than 1 percent of Okta customers."  Okta's report on the breach confirms much of what was previously known, but provides the first set of solid numbers of those affected, and notes …

  1. Doctor Syntax Silver badge

    "Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,"

    How was this possible, given the nature of the company?

    1. Missing Semicolon Silver badge

      Surely, the tab isolation is sufficient to prevent the user-google-mail page to sniff data from the work context?

      1. Anonymous Coward
        Anonymous Coward

        I would expect the exploit to loop through the host OS, not necessarily tab-to-tab inside the browser.

  2. hoola Silver badge

    The usual....

    Most of these breaches end up being some for of human failing, whatever the reason.

    The responses are equally annoying:

    Only 1% of customer's affected

    It was only email address

    It was data from 5 years ago

    It only contained users names and passwords

    No banking information was taken

    And so it goes on. The comes a point where there is so much that has been stolen or left open for people to take that we have a massive problem yet nobody gives a stuff. Compute is so cheap and fast now that data matching is easy. It becomes a simple task to collate different exposed data sets to put together a master set that contains enough information to steal identities and all sorts.

    1. Doctor Syntax Silver badge

      Re: The usual....

      Only 134 looks OK until you realise that these customers are businesses relying on Okta for secure ID management. What number of real people are at risk from those 134?

  3. aerogems Silver badge
    FAIL

    Not the point

    You always see "a tiny fraction" or "less than X%" in these PR statements, and it's always not the point. The point is, you sell a security product, you failed to protect your clients, and now every one of your remaining customers has a very legitimate right to question your ability to deliver on what they're paying you for. It doesn't matter if only a single customer was affected, that's still 1 too many when you sell security software and solutions.

    And worse than that is the story from a week or two back where Okta went radio silent on one of the customers mid-breach! To me, that's an unforgiveable sin for any security company. Any CTO worth their stock options should be conducting a thorough evaluation of all competing products, and even whether they really need a SSO type service such as Okta at all. Well, their staff should be anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like