As the investigation into a January breach continues, authentication company Okta announced that about 2.5 percent of its customers were impacted by the breach.

“The Okta service is fully operational, and there are no corrective actions our customers need to take,” according to the company, whose thousands of clients all over the world—including FedEx and Moody’s—use Okta’s services to provide network access.

The 22 March statement, attributed to David Bradbury, Okta’s chief security officer, added that the company has identified and reached out to the 366 potentially impacted corporate customers. “We are sharing this interim update, consistent with our values of customer success, integrity, and transparency. …We deeply apologize for the inconvenience and uncertainty this has caused.”

The breach occurred in January, when a member or members of the hacking and extortion group Lapsus$ gained access to a third-party customer support engineer’s laptop. The breach, which Okta reported lasted for five days, granted the attacker access to the company’s internal network. Once the breach was detected, the hacker or hackers were kicked out of the network.

In a Tuesday statement, Bradbury noted that the potential impact on Okta customers of the hack was limited to the access that support engineers have. “These engineers are unable to create or delete users, or download customer databases,” Bradbury said.

“Any hack of Okta could have major ramifications for the companies, universities, and government agencies that depend upon Okta to authenticate user access to internal systems,” The Verge reported.

Much of recent criticism levied against Okta is based on the two-month period between when the hack was discovered and when impacted customers were informed. Okta’s clients were not informed about the breach until earlier this week when Lapsus$ shared screenshots depicting Okta’s apps and internal systems on its Telegram channel. The screenshots appear to show the company’s Slack channels and a customer’s interface. “Support engineers do have access to limited data…that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords,” Bradbury acknowledged.

If you’re confused about Okta saying the “service has not been breached,” remember that the statement is purely a legal word soup. Fact is that a third-party was breached; that breach affected Okta; failure to disclose it affected Okta’s customers.

— Runa Sandvik (@runasand) March 22, 2022

“I think a lot of people are assuming the absolute worst,” Dawud Gordon, co-founder and chief executive officer for the identity security support company Twosense, says of how Okta communicated the breach to its clients and the backlash it has received on social media. Although he concedes that Okta could have done a better job in communicating the breach to its clients, Gordon adds he would be “shocked” if there was malicious intent in Okta’s decisions. He describes Okta as an organization with a strong and positive culture that would not abide malicious intent, especially in such a scenario.

According to a timeline provided by Bradbury, the delay between the discovery of the breach and its report was due to the length of the investigation into the event. After the hacker was ejected from the network on 21 January, Okta informed the engineer’s company, Sitel, about the breach.

Sitel, a sub-processor, is contracted to “help us deliver for our customers and make them successful with our products…[and] provides Okta with contract workers for our customer support organization,” Bradbury said.

“Malicious hackers have previously targeted customer support companies, which often have weaker cybersecurity defenses than some of the highly-secured companies that they support,” TechCrunch reported, and noted that Microsoft and Roblox were also targeted by hackers through these third-party entities.

Twosense, which monitors biometric behavior to support identity authentication, works with both Okta and Sitel customers. Gordon describes both companies as “best-in-class” firms.

“That’s the scary thing,” Gordon says of the breach. And although these companies trade in preventing unauthorized users or attackers from accessing protected networks or databases, “it’s still happening to them.”

We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer.

— Matthew Prince 🌥 (@eastdakota) March 22, 2022

“Attackers attack Microsoft and Okta because they know the value of identity. Identity, not apps, not servers, not devices is the important component in the cyber security world,” said Rajiv Pimplaskar, chief executive officer for Dispersive Holdings, Inc.

Bradbury added that Sitel hired a forensics firm to investigate the breach, which was concluded on 28 February. The unnamed firm gave Sitel its report, dated 10 March, with Okta receiving a summary report on 17 March—however, Okta did not receive a complete investigation report from Sitel until 22 March.

“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications,” Bradbury said.

Sitel has contested Okta’s take on the incident and investigation. “We are confident there is no longer a security risk,” Sitel spokesperson Rebecca Sanders told TechCrunch. “We are unable to comment on our relationship with any specific brands or the nature of the services we provide for our clients.”

A representative from Nuspire recommended that any Okta clients who have been impacted by the breach should take the following actions:

• Review Okta audit logs for suspicious activity focused on superuser or admin Okta accounts.
• Rotate passwords for high-privileged accounts.
• Check for privileged accounts that were created during the time of the breach, 16 January to 21 January.

Gordon adds that any company should also review the basics. “The first thing is you’ve got to start off with some kind of two-factor (authentication),” he says. “From there you move to patching, make sure that as vulnerabilities come out, you keep your system up to date. Those are all the basics, and everyone involved in what just happened here did that and so much more…They covered all the bases.”

But while human elements remain in authentication, there will also remain a struggle between securing a network and user comfort. “The only way that this could have been stopped is if that engineer was doing a two-factor check every ten minutes,” Gordon says. Not exactly convenient for productivity, and more likely to be seen as an annoyance.