[bigbluedots]

> They did this by using one access token and three service account credentials that had been taken, and that we failed to rotate, after the Okta compromise of October 2023

It's fair to "punch down" imo as that's how the credentials were originally compromised. I'd agree with you if CF were trying to minimize their own mistake but that doesn't seem to be what is happening here

[BeefWellington]

If a breach is disclosed and some time later your systems are compromised because you didn't bother to take appropriate action in response to that, it's not "fair" to punch down, or even reasonable to do so.

[cheeze]

Okta was painfully negligent, with CF going as far as posting "recommendations for Okta" because it was their only way to get through to them.

I don't love CF, but IMO Okta deserves to be punched down on.

[longcat]

In both situations Okta and Cloudflare a generic or system account has been compromised. CloudFlare would have had to upload or provide a session tokens or secret to Okta's support system.

[BeefWellington]

Sure but for how long and in what contexts?

Is it really reasonable to come out and say your company utterly failed a pretty basic security practice when faced with a compromise but that it was really some other company's problem originally?

Of course it's not. It's still your company's failure. Own it.