It means they learned something, and they are now stronger as a company and are less likely to have the same security breach happen again. Seems like a time to buy if you ask me.
Since this is a general comment, here are some general responses.
> It means they learned something,
That’s debatable.
> and they are now stronger as a company
Really not sure we can assume this unless the company is transparent, quickly apologetic and clearly says what it will do.
> and are less likely to have the same security breach happen again
If there’s one thing I’ve seen in the industry, companies change because their people change and policies change and external pressures change. There is absolutely no way to be over optimistic and believe that things won’t get far worse in the future.
Information security doesn’t get a lot of long term attention. There’s too much fatigue by constant breaches and leaks that companies do the minimum PR to let it slide in a few days or weeks. Even any government hearings will be met with PR statements and sentences that nobody actually believes.
That Solarwinds is still in business and also had another security breach recently should tell you everything you need to know about the real impact of these things in the long term.
Okta's stock may be down but it will go back up once collective amnesia sets in.
What would be more interesting is figuring out how you could claim some kind of injury as an Okta customer due to this incident...
Yes. No one really gives a shit if their vendors are hacked. They are just happy that they have someone else to point at from a risk perspective. "They had all these third party certifications that said it was safe. It wasn't our fault.".
This isn't really the right approach because it really shows that you don't give a shit about your customers either and only care about covering your ass.
Companies pay lip service to idiots to collect cash from said idiots.
Mentioning this tends to make the dumbass business goons have a frowny face reaction. (It’s better to pay lip service than admit one is a morally adrift turd)
The company just has to actually care about the security of peripheral systems like this that aren't directly a part of their product offering. Okta has more than sufficiently smart admins who can prevent session tokens from being stolen, but I'm willing to bet their attention is devoted 95% at least to Okta itself and not their external help desk that they probably don't even run themselves. Attackers will always find your weakest link, whatever you think is too insignificant to devote effort to.
I feel like it will bounce back... this breach was the support case management system, separate from the production Okta service. Still embarrassing for sure, still risk of confidential info exposed, but doesn't seem to impact core infrastructure.
I wonder what was really achieved when we left basic auth with sessions and moved to web tokens. None of these jwt services handles logouts as far as I know. It is just a more complex way of doing just about the same thing.
28 comments
[ 2.6 ms ] story [ 63.7 ms ] threadIt means they learned something, and they are now stronger as a company and are less likely to have the same security breach happen again. Seems like a time to buy if you ask me.
Also, they are a company that others rely on for security. In this case they failed to do their job.
It's pretty similar to the LastPass hack. Do you still trust them?
I didn't trust them before (and never used them) but I might trust them more now.
Do you trust first-time plumbers or veteran plumbers that have f-ed up a couple times and learned a few things?
> It means they learned something,
That’s debatable.
> and they are now stronger as a company
Really not sure we can assume this unless the company is transparent, quickly apologetic and clearly says what it will do.
> and are less likely to have the same security breach happen again
If there’s one thing I’ve seen in the industry, companies change because their people change and policies change and external pressures change. There is absolutely no way to be over optimistic and believe that things won’t get far worse in the future.
Information security doesn’t get a lot of long term attention. There’s too much fatigue by constant breaches and leaks that companies do the minimum PR to let it slide in a few days or weeks. Even any government hearings will be met with PR statements and sentences that nobody actually believes.
To add to your thinking
Stronger: How much stronger? How do you measure? How do you test?
Less Likely: How much less likely? And could it instead make them more likely to see attacks since they've been exposed.
It doesn't take much to lose sight of proper controls, processes, etc. Something simple like team turnover can cause something to be missed.
Also, re: transparency, it's going to be interesting to see how companies handle the SEC's new rule regarding material cybersecurity issues.
Clorox, as an example, has released multiple 8Ks recently as they continue to work through their August incident.
https://www.sec.gov/news/press-release/2023-139
https://www.beyondtrust.com/blog/entry/okta-support-unit-bre...
What would be more interesting is figuring out how you could claim some kind of injury as an Okta customer due to this incident...
The lack of attributable damage is why this isn’t taken seriously.
This isn't really the right approach because it really shows that you don't give a shit about your customers either and only care about covering your ass.
Edit: Headline needs to desensetionalaze a bit. -11.57% isn’t too bad.
Hackers Stole Access Tokens from Okta's Support Unit
https://news.ycombinator.com/item?id=37959904
So it allows attackers to compromise Okta's customers core infrastructure.