184 comments

[ 4.1 ms ] story [ 237 ms ] thread
I know govt. contractors use Okta for authentication. Since names and emails were taken, I expect more targeted phishing attacks as a result of this. Fortunate it wasn’t sensitive data (hopefully.)
Gov orgs usually would use a FedRamp tenant and those weren’t impacted (apparently, my trust in Okta right now isn’t high)
(comment deleted)
Okta is rated as FedRAMP High...seems like their rating means fuck all imo.
A fedramp high accreditation means you at least have your shit together.

Not easy to fake that one. I guess you could have a shitty coalfire assesor

Having been involved in both sides of other certifications before (not FedRAMP specifically though) my level of trust in them is through the floor. So much meaningless box ticking & not much actual substance.
(comment deleted)
Good, so next time people learn not to use and/or reject any service that tries to ask you to register in these “identity verification” services.
I think most people who use Okta probably do so because it's required by their employer.
How did Okta even get that big, it seems like sso could be cheap oauth in house. I've herd they ahve many other integrations/webhooks but that doesnt seem the cost of outsourcing one of the most vital part of your org.

Am I missing something, some magic other than sales and gullible pm's?

One place to go to deactivate many logins for an ever expanding world of SaaS systems is basically necessary in 2023 for enterprise. Okta has been building that.
We've spent years telling folks that $X is too hard; so just out-source to $LIB or $PACKAGE or $VENDOR. Now we've got a whole huge group of builders, managers of makers that make these plans/calls.

We should stop saying $X is too hard and start, at least, trying to help more folk realize it can be done in house.

It all started when it became "too much trouble to host your own email" and then all the centralization and vendorification happened...and stay off my lawn!

I honestly wonder when/if there will be a time where everything will be insourced again and thus removed from the cloud.
90% of the world's compute power is not cloud. Guesstimate from the traffic patterns at telecom (including non internet capacity).
To be fair, when people host their own email we end up with them also not patching the exchange servers and subsequently getting hacked anyway.
On average decentralization would make it less safe not more though. Most medium/small and even some large businesses would definitely mess something up if they had to do it themselves
Amazing sales team. Was working at auth0 when okta bought them and they kept going on about how great oktas sales org was.
> it seems like sso could be cheap oauth in house

It's outsourcing risk. Auth is hard, we all know it (yes, it is hard), and it's cheaper to outsource to a company who has it as their core competency, than hire internal experts.

“Cheaper” is an interesting term to use when we’re talking about auth. I guess it depends on how much a company values the ability of outside entities to not have access to internal resources. Some companies would peg that value at the entire value of the company.
Some companies also trust an outside entity to get it right more than they trust themselves.
Some companies are also happy to be able to blame a third party. And there's safety in numbers. A risk mitigation of a different kind.
A lot of companies rely on third party vendors for physical access management because who wants to in-source maintenance of locks/doors/badge readers/etc.

I’m not sure why it comes across as unusual for wanting to outsource a service that is incredibly easy to get wrong to someone whose core focus is getting that right.

Unfortunately Okta seems too eager to downplay these incidents, but that doesn’t mean all authentication services are equally flawed.

It's basically THE WAY to get authorizations for medical practices to get prescriptions approved for patients in the US. Ridiculous. (Along with a bunch of other medical logins.)
(comment deleted)
Nice. Is it the third time this year that we have good news from Okta? I don't know why we are still using it. What other options are out there?
On one hand, the market seems to react to these appropriately. On another hand, the market has a short-term memory and prices go back up.

It's unfortunate Auth0 was acquired by them. Have used it from the beginning and it used to be a great product before the Okta acq. Now it's just constant sales emails, expensive pricing, not much new feature launches, most features are very enterprise focused, bunch of bugs, frequent outages.

Stock 41% up in the last 12 months is not appropriate.. it basically signals, "buy at a huge discount after each incident, we'll keep it rising regardless".

At this point, one could speculate they are not worth almost at all given they fail to deliver on their primary value proposition. They are not and have not been profitable either, only getting worse: https://finance.yahoo.com/quote/OKTA/financials?p=OKTA

This sort of business doesn’t have to immediately realize a profit they just have to expand their base of customer and dig their claws deeper into their customers core infrastructure. Once they do that they can exploit their customers for years before they’l be able to escape. Since they are frequently going to be competing in “lowest bidder wins” competitions they’re be foolhardy to try and make a profit up front honestly, counter-intuitively it would be lighting money on fire. This is also a product with pretty substantial benefits from scale, as Okta gets bigger more things integrate with them so they’re easy to integrate with so they get bigger…

I’m just wondering who in the industry is still stupid enough to stick their neck out for Okta? Why are they getting new customers? Why not go with the other devil you know your cloud provider to offer mostly the same services? What is Okta offering when they seem relatively incompetent compared to the competition that often offers their products for cheaper up front?

They're still growing revenue, at least as of July.
Throw a docker container with keycloack and selfhost.
If only it were that easy. Yes, you can run it as a docker container and self host.

But self hosting is non-trivial. You have to deal with DNS, TLS certificates, configuring Keycloak, data backups, and redundancy.

I set it up once so I could evaluate it. I may yet choose to self host but I'm not under any illusions that it's easier than paying for a service.

When you're evaluating solutions make sure to look into Authentik too. For my small company needs it was much much easier to understand and setup and it's only gotten better and more featureful.
Authentik takes a little more to set up than KeyCloak, but the effort is well worth it when you go to configure TOTP. Authentik 2FA UX can be quite easy, similar to commercial products.
There are plenty of valid concerns around self-hosting it, but I fear for the future of our profession if things like DNS, TLS certificates and backing up a database on a schedule are now considered hard.
This is not a new breach, it is a disclosure of additional findings from the last breach.
Entra ID (Azure ad) free above a p2/E3 I think. Auth0 bought by okta. Ping. Google.
Have heard good things about FusionAuth. (Not a user, but friends speak highly of it).
Thanks for mentioning us! (I'm a FusionAuth employee.)
What is a good, alternative, external authentication solution outisde of Okta and their auth0 product, then? I was looking to use their product because I have trusted their ability to manage authentication.
What are you trying to do? Is self hosting keycloak an option?
Honestly, I'd rather not self-host anything. Many people, such as Amazon and Auth0 provide services to handle authentication for you, so you're just given a jwt token or session information. I want to pay pennies per user to have it done right(tm)
I didn’t realize it until looking at it just a moment ago, but Auth0 is an Okta subsidiary. They don’t have a stellar record by themselves [0]. I guess that leaves Amazon? That’s not super encouraging.

[0] https://www.bleepingcomputer.com/news/security/auth0-warns-t...

Amazon Cognito is an attractive option for authentication since it has a good free tier and is relatively inexpensive even outside of the free tier.

The downside I ran into is that it doesn't support SAML SSO. It is only OAuth, OpenID Connect, and JWT.

As an auth backend to an app, perhaps, but the web login forms for Cognito had terrible UX (when we were using it). So terrible that we had daily customer-reported support tickets that we had no ability to fix (short of writing our own full UI).

Also, sharding user records into Cognito pools was a bit frustrating. Hopefully AWS has invested in fixing these issues.

Firebase and Supabase might also be good options for authentication. Cheaper with generous free Tier.
> I want to pay pennies per user to have it done right(tm)

Okta's whole value prop was that they do it "right"... Oops.

https://www.ory.sh/ bonus is that you can run it on your own as well.
I'm looking at this one and it seems to cover things that I need (admittedly, without a free tier, but what'reyougonnado). I knew about Okta through people in the security space and that's why I trusted it. I don't see anything on Ory's page that seems to explain the audit work they do, etc. Is this something you are familiar with? Or?
Yes, we're using it in production. However, we have deployed our own stack of it. You don't have to use their service if you don't eant to. It's open source, so in a way there is a free tier to it if you can put some work into deployment.
10/10. Ory is top notch. Using on prem
Authentik is easiest to self host and give you everything you would expect in an premium offering, it's opensource and just need a single docker compose command to up and running. https://goauthentik.io/
Supertokens - open source user authentication.

Our UI is native to your website (no redirects) and the auth logic sits within your backend api layer - giving you a lot more control

You have Azure (sus), Google (eh), OneLogin, LastPass(?), PingID.

Okta is nuts. 5th time in two years. Who the F*** is running that place?

This is not a new breach, it is a disclosure of additional findings from the last breach.
IMO Google is probably the best bet, given the strength of their security engineering folks.
(former Userify CEO, so probably a bit biased, but we only focus on SSH/sudo, so not too much overlap)

I agree completely, except with the obvious stipulation that Google seems to be only SaaS and thus extremely high-value target, but Google's security has always been top notch and you can tell they actually care.

Ping Identity seems to be doing pretty well (now owned by Thoma Bravo) and haven't heard of any publicly disclosed leaks.

LastPass has had several well-publicized breaches recently, though.

Google has one of the best security practices and teams out there, so I would agree. They don't need to support legacy systems nor have so many disparate systems like MS has, so they an advantage over MS despite MS having a good security team as well. Only dings on them is service in this area as well as baked integrations (Okta has tons)
Maybe the truth is nobody can stand up to targeted attacks.
(comment deleted)
MS Marketing would like you to edit your post to mention that Azure AD™ is now Entra ID™. This is a new product like MS Fabric is a new product.
We use Userfront and it's been solid
Check out ZITADEL— It fuses the best features of Auth0 and Keycloak into a more modern, innovative package. (full disclosure, I'm part of the team)

It's an open-source IAM solution. It offers a cloud-based SaaS option and can also be downloaded for self-hosting. You can try the hosted cloud version for free - https://zitadel.com/signin

It provides:

- authentication and authorization capabilities (including SSO, IdP Federation)

- auditing

- custom extensions

- support for standards such as OIDC/OAuth/SAML/LDAP

- full API support

- various authorization strategies, including Role-Based Access Control (RBAC) and Delegated Access, making it a great choice for both B2C and B2B scenarios.

It mostly aims to ensure ease of operation and scalability (users love the simplicity). The community and team actively contribute towards development and support.

You can download it and host it yourself - https://zitadel.com/docs/self-hosting/deploy/overview

Github- https://github.com/zitadel/zitadel

Case studies and testimonials - https://zitadel.com/blog/tags/successstory

Jumpcloud if you’re looking for SaaS. It has been a year or two since I last used them but it worked well for our needs.
I mentioned it above, but FusionAuth is supposedly good. They offer a paid cloud and free self-hosted version, so you get the benefits of rolling your own without as many risks. (No affiliation with the company on my part, so I can't speak to any specifics - they're just local and I continually hear good things from friends who know and use them.)
Ask yourself why you need it - if it's to handle auth for an SaaS, your web application framework most likely already has a battle-tested auth implementation you can just use.

In this case, introducing a third-party doesn't help. You can still screw up the integration (or merely configuration - a general-purpose IdP has lots of features that may not apply to your use-case, yet misconfiguring them could leave a large security hole without even realizing it), and you are still on the hook for security regardless (if your app is vulnerable, it doesn't matter how secure the IdP is as they can just bypass it).

Disclosure: I work for FusionAuth.

We're a commercial offering with self-hosted and SaaS options. I don't have a ton of insight into your needs, but it is a solid, well documented external authentication system.

We have a free option available here: https://fusionauth.io/download or you can pay us for premium features, hosting or support.

Why did they have to buy Auth0??
So you can’t run to a competitor when things like this happen.
Better question: why were they allowed to acquire Auth0?
Yet another breach of Okta...

Why are companies not running something like keycloak [1] themselves? Are administrative/maintenance costs too high or is it plausible deniability?

[1] https://keycloak.org

Keycloak is fairly easy to maintain. I run a deploy in AWS/ECS, and nearly never needs to be touched... except when an upgrade is required. Every upgrade has been challenging, starting with change to Quarkus, followed by removing dependencies from the docker images.

But when it's not being upgrade, it's fantastic. Many thanks to Red Hat.

This is not a new breach, it is a disclosure of additional findings from the last breach.
I'm not sure why you keep saying this as if it makes the fact that they lied about the most recent breach any better.
Because people who don't bother to read the article assume it's a new breach, as we can see in the comments here ("another breach"). I'm not saying that it makes it better or worse.
At this point it might be time to stop using the service handling your company's auth, which is supposed to be the most secure link in the chain, yet is being hacked every quarter.
Use stronger MFA as in, not use okta?!
This is the same breach as before, with more details about what happened, not a new breach.
It's probably just confirmation bias because authentication system breaches get more coverage, and I pay more attention to them, but it seems like all the big players get pwned far too often. You had one job, buddy. Okta, 1Password, LastPass all had breaches or other failures. With so many self-hostable solutions available, I dunno why small/medium-sized companies trust external third parties.
Did 1password actually have a breach though? I think they stated due to Okta they reviewed their own systems and found nothing.
It just never ends with this outfit.
Jeez the hits keep coming. Every time they have to update about this Oct breach it puts FUD in my mind about this company, that I have never done business with anyway.
They cant get away with "oh shiz we screwed up", this is the essential part of their business. If you're unable to perform the fundamental service you are offering, it's indefensible. Okta having a security breach is like a pizza shop owner who's unable to make a pizza.
But the shoemaker's children have no shoes?
Not sure if it's reasonable to expect perfect security, people are fallible so that position won't make you very happy. We'll all get hacked, question is if we make it easy for them to gather private information which in this case didn't seem to have happened. The fact that it wasn't, probably is due to it being "the essential part of their business".
This could be potentially really dangerous. Most Okta customers who would use support would be IT admins. This is a pretty good list to start social engineering to get more information from other customers just by calling or emailing IT members impersonating corporate end users.
One of the most literal cases of "the breach is always twice as bad as the initial disclosure claims" I've seen. Also TIL the dept of defense uses okta that's reassuring for someone I'm sure.
It took them almost a month to review their initial analysis? What is going on at this company that they can afford to be so aloof?

> Today we are sharing new information that potentially impacts the security of our customers

Maybe in another month they will conclude whether or not that “potentially” is a yes or no.

I assume their customers are vendor-locked to hell. Crazy what people do for convenience.
What blows my mind is that they've somehow managed to turn relatively minor incidents that aren't even compromises to their core systems into top-of-the-news-cycle meltdowns.

The Lapsus$ compromise in 2022 was a third-party IT subcontractor getting their spy-on-the-employees RDP popped, and then Lapsus$ using incredibly limited access to the Okta admin tool to take some screenshots of support dashboards. Honestly it could have been spun into a "hey, our defense in depth pretty much worked!" story.

Then, the most recent issue was an employee's third-party password manager getting compromised, allowing an attacker to log in to the support ticket tracker, which happened to contain HAR files with creds in them as well as details on support contacts. I bet a lot of enterprises are vulnerable to this, the HAR file thing is actually a great lesson in a highly unexpected threat vector. But somehow Okta have managed to turn it into a months-long top-of-the-news cycle incident, first by denying the compromise happened at all and then by underplaying the access the threat actor had to the support ticket tracker.

Drama sells ads.

It's the same reason most news stories are shit today. They aren't about conveying information or educating anyone about events in the world.

They are clickbait garbage, meant solely to drive traffic in for Ad revenue and in recent history, they are slanted based on a bias that the owner wants, not any sort of factual, unbiased reporting that one may have erroneously expected from the 4th Estate.

What a shit world humans have created.

That about sums it up. Journalists either washing the dirty laundry of trillion dollar companies or peddling their product launches for the off-chance of a special scoop in the future. The big sites are definitely no more than this, with very few exceptions for opinion pieces, but even those are heavily being guard-railed against all the “politically correct” nonsense.
A 5x3 table sure looks less embarrassing than a list of 15 items
On my browser on iOS two columns get cut off. I thought it was a 3x3 table until I read this.
Same here. You can't even scroll to see it. I'm sure it's not intentional.
Will Okta pay a ransom for their own bugs?

Will security companies release enterprise one-use email address products like Apple’s “Hide My Email?”

Hide My Email generates unique, random email addresses that automatically forward to your personal inbox. Each address is unique to you. You can read and respond directly to emails sent to these addresses and your personal email address is kept private.

https://support.apple.com/en-us/105078

"For 99.6% of users in the report, the only contact information recorded is full name and email address."

I can see the retraction already: "We have run a fully unfiltered scan, as opposed to a regular unfiltered scan, and it turns out we released the full age, name, address, and DNA sequence of every customer support user."

Remember, they have to wait until there is literally not chance of the victims mitigating the issue, because releasing the info in a timely manner may affect the next quarter's numbers and the sole consequence will be a fine, paid with other people's money.

Source: Most breaches.

Names and email addresses of people likely to be an Okta admin or superadmin in your org....aka a curated target list for your next spear phishing campaign
It's so strange to me that Okta have retained their CSO. None of the recent breaches seem particularly egregious in isolation, but the pattern around bungled communication and failed follow-up investigations is comical.
They’re waiting for all of them to be public before firing the CSO. That’s the CSO’s job, to get fired.
Lol I love that phrasing. That's the ciso job - scapegoat
When we propose our niche SAAS to larger customers, we're sometimes measured from a security perspective on whether we will integrate with their Okta SSO.

Those discussions feel stranger by the day

If you become big enough, you'll get hacked too. Question is how hard you make it to find anything useful.
Absolutely. And if you get bigger still (Azure), nobody will even want to discuss it.
The product/company feels like the natural progression of the whole Oracle/Java/JS/SAML schtick, and has become the de facto when dealing with the kinds of people who base their whole company's IT personality on that stack. They're trying very, very hard to make it seem like it's another "no one got fired for buying IBM" kind of decision. Except... oops!
It seems quite unlikely you're getting fired for going with a massive vendor like this even if they have security incidents.
(comment deleted)
Clown show. Why hasn't their CSO been fired by now.
Because then the problem of handling the issue move upwards and no other C-level people would want to touch this.
Remember RSA and OPM? The RSA hack had huge implications for the Department of Defense, and was probably a state-sponsored hack (likely China). Around the same time the Office of Personnel Management (OPM) was hacked. So the state-sponsored hackers got to all the private details of anyone with classified access and clearances (which can be used for blackmail or for answering those strange "Who was your 3rd grade teacher?" auth questions to get past an identity test), and simultaneously could hack the rotating MFA codes from RSA.

Auth companies will always be a high value target for state-sponsored espionage.

Fields which may facilitate security questions such as those you quote are explicitly not included in the report run by the 'threat actor'. In fact "for 99.6% of users in the report, the only contact information recorded is full name and email address."[1]

1.TFA

Maybe you could read the flipping comment?
Man those were the good old days. Remember when Gemalto, the main producer of key card cryptographic materiel- including DOD CACs- was hacked?
Yep. Gemalto was hot stuff for a while.