1. 44
  1. 12

    Statement from the CEO: https://twitter.com/toddmckinnon/status/1506184721922859010

    In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.

    1. 35

      “There was a security breach in January that we didn’t tell you about until we were forced to,” is what I’m reading there.

    2. 15

      Now I finally understand what they meant with their Zero-Trust-Security-Model!

      1. 5

        “Single Sign-On” or “Single Point of Failure”? Ugh. My heartfelt wishes to all defenders and incident response folks out there.

        1. 4

          Done well, I would always prefer a single reference login system, where it is kept up to date. The alternative tends to be a million silos of local accounts, and the corresponding mess of never-removed accounts from infrastructure changes or people leaving.

          In one place, you can make sure that you have a canonical reference where policies are actually applied. However, I would also steer clear of unmitigated vendor “support” access as well, instead having an account that is enabled for them when required and removed again.

          1. 9

            This is the thing people don’t seem to get: outsourcing auth to a specialist provider is still the safer option by a large margin. The amount of stuff you have to get right – not “eh, good enough” or “MVP”, but actually full-on works-every-time correct – to do auth is just staggering. Maybe we need to start expressing it in terms of something more quantifiable, like mean time to breach, but Okta having an incident (even a big, scary, bad incident) is not really an argument to move to “everybody do their own”.

            1. 2

              Hey, if I had IAM/SSO as my responsibility, I’d really shy away from doing it myself too! But having the keys to so many kingdoms in one org is just scary. I wonder if there are better architectures out there :)

              1. 2

                Excellent points! The implementation aspect is one area that roll-your-own can fall down, and it’s too bad that the consumer-facing, decentralized options haven’t really gone anywhere. (Say, Mozilla’s Persona service: https://en.wikipedia.org/wiki/Mozilla_Persona) Maybe OpenID Connect will go somewhere, but I certainly have no interest in using Google/Twitter/Facebook to log in to other sites.

                1. 1

                  I would love for the industry to standardize on something that isn’t tightly coupled to JWT.

                  1. 1

                    It’s a complex spec for sure, with enough ways to do it wrong. Would you suggest something else?

                    1. 2

                      Several plausible alternative token systems, designed by security people and with much better overall philosophies, have been proposed (PASETO, Macaroons, etc. etc.). None have caught on because JWT has all the inertia.

          2. 3

            Okta has reiterated its claim that they have not been breached.

            1. 4

              The statement has been updated

              After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon.

            2. 3

              This could be horrible, but here’s hoping that it ends up being a super benign case instead of something more elaborate. I expect we’ll get more clarity in the coming hours.

              1. 2

                37 GB torrent of fresh meat. Claimed…

                1. 1

                  There’s some interesting speculation here and here.