That Solarwinds is still in business and also had another security breach recently should tell you everything you need to know about the real impact of these things in the long term.
Okta's stock may be down but it will go back up once collective amnesia sets in.
What would be more interesting is figuring out how you could claim some kind of injury as an Okta customer due to this incident...
Yes. No one really gives a shit if their vendors are hacked. They are just happy that they have someone else to point at from a risk perspective. "They had all these third party certifications that said it was safe. It wasn't our fault.".
This isn't really the right approach because it really shows that you don't give a shit about your customers either and only care about covering your ass.
Companies pay lip service to idiots to collect cash from said idiots.
Mentioning this tends to make the dumbass business goons have a frowny face reaction. (It’s better to pay lip service than admit one is a morally adrift turd)
I feel like it will bounce back... this breach was the support case management system, separate from the production Okta service. Still embarrassing for sure, still risk of confidential info exposed, but doesn't seem to impact core infrastructure.
It means they learned something, and they are now stronger as a company and are less likely to have the same security breach happen again. Seems like a time to buy if you ask me.
Since this is a general comment, here are some general responses.
> It means they learned something,
That’s debatable.
> and they are now stronger as a company
Really not sure we can assume this unless the company is transparent, quickly apologetic and clearly says what it will do.
> and are less likely to have the same security breach happen again
If there’s one thing I’ve seen in the industry, companies change because their people change and policies change and external pressures change. There is absolutely no way to be over optimistic and believe that things won’t get far worse in the future.
Information security doesn’t get a lot of long term attention. There’s too much fatigue by constant breaches and leaks that companies do the minimum PR to let it slide in a few days or weeks. Even any government hearings will be met with PR statements and sentences that nobody actually believes.
I wonder what was really achieved when we left basic auth with sessions and moved to web tokens. None of these jwt services handles logouts as far as I know. It is just a more complex way of doing just about the same thing.
The company just has to actually care about the security of peripheral systems like this that aren't directly a part of their product offering. Okta has more than sufficiently smart admins who can prevent session tokens from being stolen, but I'm willing to bet their attention is devoted 95% at least to Okta itself and not their external help desk that they probably don't even run themselves. Attackers will always find your weakest link, whatever you think is too insignificant to devote effort to.
Hackers Stole Access Tokens from Okta's Support Unit
https://news.ycombinator.com/item?id=37959904