[cheeze]

Okta was painfully negligent, with CF going as far as posting "recommendations for Okta" because it was their only way to get through to them.

I don't love CF, but IMO Okta deserves to be punched down on.

[longcat]

In both situations Okta and Cloudflare a generic or system account has been compromised. CloudFlare would have had to upload or provide a session tokens or secret to Okta's support system.

[BeefWellington]

Sure but for how long and in what contexts?

Is it really reasonable to come out and say your company utterly failed a pretty basic security practice when faced with a compromise but that it was really some other company's problem originally?

Of course it's not. It's still your company's failure. Own it.