FoxHat logoFoxHat
All articles
Incident analysis

Okta's November 2023 breach: when every customer record was exposed

Identity giant Okta disclosed that hackers accessed data on every customer in a November 2023 support-system breach. For an identity provider, the stakes could not be higher.

FoxHat ResearchMay 21, 2024 5 min read

On November 29, 2023, Okta — the identity and access management provider used by thousands of enterprises — disclosed a painful fact: hackers had stolen data on all of its customer accounts. The breach originated in Okta's support case management system, where an attacker used stolen credentials to gain access and then exfiltrated customer information including names, email addresses, and in some cases session tokens.

100%of Okta customer accounts had data accessedSource: Okta disclosure, November 2023
$15B+market cap of the largest identity vendor in the worldSource: Public market data, 2023
18,000+customers worldwide relying on Okta for authenticationSource: Okta investor relations

How the breach happened

Okta's investigation found that an attacker had compromised the credentials of a service account used by its support system. With those credentials, the threat actor could view and in some cases modify support cases, including HAR files that customers had uploaded for troubleshooting. Those HAR files sometimes contained session cookies and tokens that, if replayed, could allow lateral movement into customer environments.

Why this breach mattered more than most

Okta is not an ordinary SaaS vendor. It is the authentication layer for organizations like FedEx, Cloudflare, and thousands of others. When the identity provider itself is breached, the trust anchor of every downstream system wobbles. CISOs had to ask a hard question: if we cannot trust our identity vendor's own security controls, what does that mean for our zero-trust architecture?

The cascading impact

  • Cloudflare confirmed its own investigation after detecting unauthorized access attempts using Okta session tokens.
  • 1Password reported that its Okta tenant was targeted, though no user data was accessed.
  • Multiple enterprise customers rotated all Okta-linked session cookies and API tokens as a precaution.
  • The incident revived industry debate about whether identity should be centralized or federated.

For security teams, the Okta breach is a reminder that even world-class vendors with large security budgets can be compromised via a single stolen credential. Continuous external monitoring of your own session tokens, API keys, and HAR-file leaks — independent of your identity provider's assurances — is a necessary layer of defense.

Okta says hackers stole data on all customers during recent breach.
TechCrunch, November 29, 2023

See your exposure surface in 60 seconds

FoxHat continuously hunts your exposed repositories, assets, credentials, and secrets across the open and dark web.

Start free scan

Keep reading

Research

12.8 million secrets leaked on GitHub in 2023 — what the data tells us

Incident analysis

Five years, one GitHub key: the Toyota T-Connect leak in detail