Is there any reason they do not mention who is the "globally recognized cybersecurity firm"? Also I did not find them mentioning anything about honesty :).
Yes, that the cybersecurity firm found a big enough trashfire that they don't want their name associated. If there were a competent security firm, there would be a detailed timeline (perhaps not in this post, but linked from it) of "Hacker got access, did X, Y, Z. Last access using compromised token was at A and token expired automatically at B". The other alternative is they hired Kaspersky and don't want to mention that for obvious reasons.
If you are still on Okta in a month, you should be held criminally liable when the next hack happens.
I think we should expect SAML providers to be compromised. Given that, we need to design systems around that assumption. Google gets hacked, Azure gets hacked, Okta now. No one is impervious.
Now, that said, Okta should be more open in order to engender trust. I think this is where you are going with the comment and in this I agree.
Summary from the article:
Someone got access. We don’t know who or why. They didn’t change anything and we will assert they couldn’t have. We will be throwing a contractor we work with under the bus for this one.