An update from Okta on its October customer support security breach indicates that the damage is worse than initially expected, with all of the recent users of its Help Center service now being told that the attackers likely stole their uploaded files.
The final report on the Okta security breach indicates that the attackers were able to access HAR files containing session tokens of 134 customers, but it appears they were very selective in which they chose to pursue follow-up attacks on. Only five instances of successful session hijacking were logged.
Okta Support System Compromised by Cookie Hijacking, Security Breach May Have Exposed Customer Files
Attackers were able to steal a session cookie from the Okta support system and access an administrator account, possibly providing them with further access to customer environments in an early October security breach.
Okta is once again in trouble as the company's GitHub repositories have been hacked. There does not appear to be any impact to Okta clients, but the service source code appears to have been stolen in the breach.
In the roughly five months that the Okta phishing campaign has been active, it has racked up 9,931 login credentials from about 130 organizations. 5,541 included MFA codes, and 3,120 included the victim's email account.