2023-11-29 Okta, Inc. Cybersecurity Incident

Page last updated on September 29, 2025

Okta, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-11-29 07:15:50 EST.

Incident Details

Material: Unknown
Is Breach: Yes
Records Compromised: Unknown
Data Types Impacted: Username, Email, Name

Compromised Date: Unknown
Detected Date: Unknown
Disclosure Date: 2023-11-29
Contained Date: Unknown
Recovered Date: Unknown

Attack Goal: Unknown
Attack Tactics¹: TA0010
Attack Techniques¹: T1213

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-11-29

Okta, Inc. filed an 8-K at 2023-11-29 07:15:50 EST
Accession Number: 0001660134-23-000065

Item 7.01 Regulation FD Disclosure.

On November 29, 2023, the Company issued a post to its Security Blog website at sec.okta.com (the "Blog Post") disclosing additional details relating to a security incident that was previously reported on its Security Blog on October 20, 2023 and November 3, 2023. The Blog Post is furnished with this report as Exhibit 99.2 and is incorporated herein by reference.

Also on November 29, 2023, the Company posted supplemental investor materials on its investor.okta.com website.

The Company uses its investor.okta.com website and okta.com/blog websites (including the Security Blog, Okta Developer Blog and Auth0 Developer Blog) as a means of disclosing material non-public information, announcing upcoming investor conferences and for complying with its disclosure obligations under Regulation FD. Accordingly, investors should monitor the Company's investor relations and okta.com/blog websites in addition to following its press releases, SEC filings and public conference calls and webcasts.

The information furnished in the current report on Form 8-K and in the accompanying Exhibits 99.1 and 99.2 shall not be deemed "filed" for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), or incorporated by reference in any filing under the Securities Act of 1933, as amended, or the Exchange Act regardless of any general incorporation language in such filings, unless expressly incorporated by specific reference in such filing.

Exhibit No. 99.2

Okta, Inc. Security Blog post dated November 29, 2023

Exhibit 99.2 Published at https://sec.okta.com/harfiles

October Customer Support Security Incident- Update and Recommended Actions Date: November 29, 2023

In the wake of the security incident Okta disclosed in October 2023 affecting our customer support management system (also known as the Okta Help Center), Okta Security has continued to review our initial analysis shared on November 3, re-examining the actions that the threat actor performed. This included manually recreating reports the threat actor ran in the system and the files the threat actor downloaded.

Today we are sharing new information that potentially impacts the security of our customers.

We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.

The threat actor ran a report on September 28, 2023 at 15:06 UTC that contained the following fields for each user in Okta's customer support system:

The majority of the fields in the report are blank and the report does not include user credentials or sensitive personal data. For 99.6% of users in the report, the only contact information recorded is full name and email address.

While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks. Okta customers sign-in to Okta's customer support system with the same accounts they use in their own Okta org. Many users of the customer support system are Okta administrators. It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).

Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users. While 94% of Okta customers already require MFA for their administrators, we recommend ALL Okta customers employ MFA and consider the use of phishing resistant authenticators to further enhance their security. Please refer to product documentation to enable MFA for the admin console (Classic or OIE).

How we discovered this

Following the publication of the RCA on November 3, Okta Security reviewed our initial analysis of the actions that the threat actor performed, including manually recreating the reports that the threat actor ran within the customer support system. We identified that the file size of one particular report downloaded by the threat actor was larger than the file generated during our initial investigation. After additional analysis, we concluded that the report contained a list of all customer support system users. The discrepancy in our initial analysis stems from the threat actor running an unfiltered view of the report. Our November review identified that if the filters were removed from the templated report, the downloaded file was considerably larger - and more closely matched the size of the file download logged in our security telemetry.

Company Information