"Take any report of compromise seriously and act immediately to limit damage; in this case Okta was first notified on October 2, 2023 by BeyondTrust but the attacker still had access to their support systems at least until October 18, 2023."
It is good to call Okta out here as it impacts Cloudflare's business as well and if you can't fix a critical issue for 16 days, that is bad. Remember we are talking about Auth here. A breach impacts everything.
SEC requires public disclosure basically immediately (within a few days. Less than a week for sure) for public companies if a hack could harm your bottom line or trade value.
Hopefully they sink their teeth and give out a nice fine for this insane negligence, but I suspect okta is in for a strongly worded letter.
First, Okta got hacked and that hack allowed CloudFlare to get hacked. That is bad. Second, one of Okta’s other customers reported the hack and Okta either ignored the report, or investigated the report and did not find the hack. That is not good. Third, Cloud Flare’s response was professional. They asked a company providing a very important service to improve because that company’s product and practices endangered CloudFlare.
If Okta does not want its customers to publically complain about its actions, Okta needs to improve and do better. In particular, if someone says they have been hacked, listen to them and keep digging until you find the problem.
Yes. No one likes a sore winner. Providing your customers with assurances? Good. Providing tips to Okta customers? Sure. Publicly chastising another company you do business with? Unnecessary. That should be kept private. Just my opinion
I am responsible for spending several hundred thousand dollars a year with Cloudflare (out of my budget). I like this style. Don’t want to get called out, get your org fixed. This is somewhere between the third and fifth breach, depending on how you’re counting.
This is the _second_ time this has happened, and it's clear Octa hasn't learned any lessons. So Cloudflare is right to call them out, and Okta should be embarrassed. What surprised me about this post is that they didn't say they were dropping them. Okta is a vulnerability to any organization.
They do win some points on having better security than a popular security product, considering Cloudflare's own security posture is also quite important to their customers.
Agrees - CloudFlare and its employees did outstanding work. My main point was calling CloudFlare a sore winner did not make sense because they did not win anything.
Also, I think CloudFlare’s blog post was very good.
Agree. CF wont have the inside scoop and they use another company's statement to bolster own thoughts. I wonder about the BeyondTrust statement too. This just doesn't sound right....and, so far, although it could happen this week, there have been no SEC filings by Okta - which would have to happen if this was a bad situation for them.
"Take any report of compromise seriously and act immediately to limit damage; in this case Okta was first notified on October 2, 2023 by BeyondTrust but the attacker still had access to their support systems at least until October 18, 2023."
It is good to call Okta out here as it impacts Cloudflare's business as well and if you can't fix a critical issue for 16 days, that is bad. Remember we are talking about Auth here. A breach impacts everything.