Okta says security breach disclosed in October was way worse than first thought

A security breach of identity-management software company Okta was more extensive than first thought.

More than five weeks after Okta first told customers of the September breach, the company's chief security officer, David Bradbury, wrote in a blog post Wednesday that hackers had stolen information on all users of its customer support system. 

The admission is a far cry from the company's prior contention that the incident had impacted less than 1% of users.

Okta's initial investigation overlooked actions by hackers signaling all of the company's certified users were impacted during the attack, Bradbury noted. 

"While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks," Bradbury wrote. 

The developments came after casino giants Caesar's Entertainment and MGM Resorts were breached, with hackers succeeding to social engineer workers into resetting the multifactor login requirements for Okta administrator accounts. 

Some of the world's biggest companies — FedEx, Hewlett Packard and T-Mobile among them — use Okta to secure access to their computer systems (Paramount, which owns CBS News, is also an Okta customer).

Okta has roughly 17,000 customers and manages about 50 billion users, it said in March.

Shares of Okta on Wednesday fell 2.5% to $70.77.

The cost of a typical data breach in the U.S. neared $4.5 million this year, up more than 15% from $3.9 million in 2020, according to IBM. 

Ransomware attacks and other forms of cybercrime have soared in recent years, targeting companies using internet cloud services to store data.

Kate Gibson

Kate Gibson is a reporter for CBS MoneyWatch in New York.