Okta's comms have been laughable
Compromises happen, even to authentication providers.
What doesn't instill trust though, has been Oktas communication about the issue.
They've gone from "no, it's just something that happened months ago that we never mentioned" to "yeah, it was months ago, and it turns out they accessed some customer data, we're making contact"
Forensic investigations take time, it's not Okta's fault they only got the report back recently, but they should have been proactively contacting customers *in january*.
They're a gateway to a myriad of other systems, there's absolutely no excuse for having left those systems at risk despite knowing that a "limited" compromise of their own systems had occurred.
All they needed to say was
"Dear customer, we've detected a possible security incident with a third party supplier, we're investigating, but please consider whether you wish to reset access credentials"
Instead they kept quiet and let their customers shoulder the risk.
Not exactly a ringing endorsement for a provider that's supposed to be part of your first line of defence
Biting the hand that feeds IT
