[spatley]

Sure, not as catastrophic as getting prod root keys directly, but the breach was detected by an Okta customer that found a bad actor using session cookie data the was provided to Okta by their user in a support incident.

It is nearly certain that sometime in that 15 days a bunch of Okta customers got breached and are infiltrated now without their knowledge.

[albert_e]

the malicious actor likely had access to Okta support systems for much longer and was able to use HARs and also other information from other Okta customers undetected till they walked into a customer that was alert