“This is the second time Cloudflare has been impacted by a breach of Okta’s systems,” a group of Cloudflare engineers wrote on Friday. They went on to share a list of recommendations for how Okta can improve its security posture: “Take any report of compromise seriously and act immediately to limit damage. Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them. Require hardware keys to protect all systems, including third-party support providers.”
The Cloudflare engineers added that they view taking protective steps like these as “table stakes” for a company like Okta that provides such crucial security services to so many organizations.
When WIRED asked Okta a series of questions about what steps it is taking to improve customer service defenses in the wake of the two breaches, and why there appears to be a lack of urgency when the company receives reports of potential incidents, the company declined to comment. A spokesperson said it would share more information about these subjects soon.
“I really want to know what technical controls Okta had implemented following the 2022 breach, and why this time will be different,” says Evan Johnson, cofounder of RunReveal, which develops a system visibility and incident detection tool. “My hunch is they did not roll out hardware security keys, or didn’t roll them out for their contractors doing support.”
Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, emphasizes that “the issue is bigger than Okta,” noting that software supply chain attacks and the volume of hacks companies must defend against is significant. “It’s unfortunately common for service providers of any size to have trouble believing they are the source of an incident until definitive proof is offered,” he says.
Still, Williams adds, “there’s a pattern here with Okta, and it involves outsourced support.” He also notes that one of the remediations Okta suggested to customers in the wake of the recent incident—carefully removing support session tokens that could be compromised from troubleshooting data—is not realistic.
“Okta’s suggestion—that somehow the customer must be responsible for stripping session tokens from the files they specifically request for troubleshooting purposes—is absurd,” he says. “That’s like handing a knife to a toddler and then blaming the toddler for bleeding.”
