Okta Says October 2023 Data Breach Impacts All Customer Support Users

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Okta’s ongoing investigation into the October Help Center breach revealed that hackers had stolen all customer support system users’ information rather than the previously estimated 1 percent.

In the beginning of November, the company disclosed that unknown threat actors gained access to a limited number of customer support system files, impacting only 134 customers .

However, last week, in an incident update notification, Okta’s CSO, David Bradbury, revealed that hackers had accessed the name and email addresses of all Okta support system users.

‘’All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident,’’ revealed Bradbury .

The stolen reports are said to contain fields for names, emails, phone numbers, address, company name, username, SAML Federation ID, login details, and last password change/reset. However, for 99.6% of users listed in the report the only contact information that was revealed was their full name and email address. User credentials or sensitive personal data was not a part of the stolen data, assured the company.

The notification also revealed that the breach extended to reports and support cases, which included contact information for all Okta certified users and some Okta Customer Identity Cloud (CIC) customers. Data of some employees was also a part of this breach.

While no evidence was found of any misuse of the stolen data, the company believes that the customers might be targeted via phishing or social engineering attacks. Thus, it is imperative that all Okta customers deploy multi factor authentication (MFA) and use phishing resistant authenticators, to enhance security.

It also revealed that it had enlisted third-party digital forensics experts to assist in its investigation, and would be notifying the impacted customers.

Supplier Data Breach Impacts Significant Number of Dollar Tree Employees

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

American discount retail chains Dollar Tree and Family Dollar have recently fallen victim to supply-chain attacks. The workforce analytics solution provider for the companies, Zeroed-In Technologies, experienced a security incident, leading to the unauthorized access and exfiltration of data from nearly 2 million individuals.

In a breach notification published with the Office of the Maine Attorney General, software company Zeroed-In Technologies, revealed that the incident impacted a total of 1,977,486 individuals.

According to the company’s notice to affected people, unauthorized threat actors gained access to its network between August 7-8, 2023, and accessed staff details of certain clients. Information about Dollar Tree’s current and former employees was also a part of this breach. As per the notice, in Maine, 7,034 employees of the company were impacted.

The company is yet to confirm the names of its other customers who were impacted by this security breach.

‘While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor,” the notice read. ‘’Therefore, Zeroed-In conducted a review of the contents of the systems to determine what information was present at the time of the incident, to whom the information relates, and to which Zeroed-In customers the information belonged,’’ it continued.

The investigation revealed that the compromised information included names, dates of birth, and Social Security numbers (SSNs), of affected clients’ employees.

After the investigation, Zeroed-In not only notified the federal law enforcement agency, but also sent out individual written notices to impacted customers and individuals. Through TransUnion, it’s also offering free credit monitoring services for twelve months to impacted people.

Despite Zeroed-In’s effort to contain the impact of this incident, the scale of this breach has raised interest of law firms looking at filing potential class-action lawsuits against it.

Virginia-headquartered Dollar Tree and Family Dollar operates more than 16,000 stores across 48 states in the US and 5 Canadian provinces.