.png)
Okta Breach 2023: When Your Identity Provider Becomes the Attack Vector and 134 Customers Pay the Price
Breach Summary
The 2023 Okta support system breach is one of the most consequential identity security incidents in enterprise history — not because of what attackers took from Okta, but because of what Okta's position as a universal identity provider made accessible through the breach. Okta serves as the identity and access management backbone for thousands of organizations. When Scattered Spider compromised Okta's customer support system in September 2023, they gained visibility into the identity configurations of Okta's customers — turning a breach of one identity vendor into a supply chain attack on every organization that trusted Okta's support environment.
The downstream victims of the Okta breach — 1Password, BeyondTrust, Cloudflare, and MGM Resorts among them — demonstrate that the blast radius of a compromised identity provider extends far beyond the provider itself.
What Happened
What Happened
Scattered Spider obtained access to Okta's customer support ticket management system using compromised credentials for an Okta service account. Within the support system, the attackers accessed support tickets from various Okta customers, including files that customers had uploaded as part of troubleshooting processes. Among those files were HAR (HTTP Archive) files — network debugging files that capture complete browser session traffic including authentication tokens and session cookies.
The attackers extracted session tokens from the HAR files and used them to access Okta customer tenants directly. 1Password detected suspicious activity in its Okta tenant and reported to Okta; subsequent investigation confirmed that the suspicious activity was connected to the support system breach. BeyondTrust similarly identified unauthorized access to their Okta tenant. Cloudflare reported unauthorized activity. MGM Resorts — which was breached through Okta credential compromise using social engineering in a separate but related campaign — was also among the organizations with Okta tenant activity traced to Scattered Spider. Okta confirmed the breach in October 2023, acknowledging that all customers who had opened support tickets during the affected period were potentially affected. Approximately 134 customers were confirmed to have had their data accessed, representing 1% of Okta's customer base but including some of the most security-conscious enterprises in the world.
Attack Vector Detail
The Attack Vector: Customer Support System Compromise
Okta's customer support system was compromised through credential theft. A threat actor — subsequently attributed to Scattered Spider — obtained access to Okta's support ticket management system using a compromised service account credential. Once inside the support system, they accessed files that customers had uploaded when opening support tickets — including HTTP archive (HAR) files used for network debugging, which contained session tokens and authentication cookies for Okta customer tenants.
Session tokens captured from HAR files represent authenticated access — equivalent to being logged in as the administrator who created the support ticket. Multiple Okta customers confirmed unauthorized access to their Okta tenants traceable to session tokens captured from their HAR files. The attack did not require exploitation of any Okta software vulnerability. It required access to a support system and the recognition that support ticket artifacts contain valuable authentication data.
Breach Pattern Timeline
Pre-October 2023
Okta becomes a high-value target due to its position as the identity provider for thousands of enterprise customers. Multiple incidents in 2022 (Lapsus$, Sitel) had already raised Okta's threat profile.
September 28, 2023
Per Okta's later disclosure, attacker uses stolen credentials to access Okta's customer support case management system. Credentials had been saved by an Okta employee in a personal Google profile, then synced to Google Chrome on a personal device that was compromised.
October 2-13, 2023
Attacker accesses HAR files (HTTP archive logs containing session tokens) that Okta customers had uploaded to support cases. Session tokens used to attempt access to those customers' Okta admin consoles.
October 18, 2023
BeyondTrust detects unauthorized access attempt against its Okta admin and informs Okta. Okta initially denies broader breach, attributing the access to BeyondTrust-specific issue.
October 19, 2023
Cloudflare detects and confirms similar attack pattern. 1Password also confirms attempt against its Okta tenant.
October 20, 2023
Okta publicly discloses the breach. Initially characterizes scope as 'less than 1% of Okta customers.'
November 28, 2023
Okta substantially revises breach scope: ALL Okta customer support customers' names and email addresses had been accessed, not just the original 1%. Major reputational hit due to disclosure framing changes.
January 2024
Okta CEO Todd McKinnon issues public apology and commits to security overhaul. Several customers — including Cloudflare, BeyondTrust — publicly criticize Okta's incident response and disclosure framing.
2024-2026
Okta implements significant security architecture changes including phishing-resistant MFA enforcement, restricted personal device access for support team, and HAR file sanitization. Industry-wide reassessment of identity provider concentration risk.
Total impact: All Okta customer support customers' names and email addresses accessed (initial disclosure significantly understated), session tokens for ~134 customers exfiltrated, foundational precedent for identity provider concentration risk and disclosure-scope-revision reputation damage.
Executive Lessons
The Okta breach established that identity providers are the single highest-value attack target in most enterprise environments because a compromised identity provider session can provide access to every application connected through SSO. The breach also demonstrated that third-party customer support access to identity provider administrative interfaces — a standard practice for scale — creates an attack surface that the primary vendor cannot fully control. Organizations must extend their identity security requirements to their identity vendor's own supply chain.
Related Reading
Private Equity Implications
Private Equity Implications
PE portfolio companies that use Okta, Microsoft Entra ID, or any other SSO platform as their identity backbone are exposed to supply chain risk through those platforms' operational security. During M&A diligence, evaluating the identity provider in use — and the organization's Conditional Access policies that limit the damage from potential identity provider incidents — is a material security assessment dimension. The Okta breach specifically demonstrated that organizations with mature Conditional Access policies experienced significantly less impact than those relying on Okta authentication alone without additional access controls.
How Cloudskope Can Help
Cloudskope's Microsoft 365 and Identity Security Assessment includes evaluation of your Conditional Access architecture, session token protection controls, and SSO vendor security posture — specifically assessing the controls that limit blast radius when your identity provider experiences a supply chain security event.