After the recent hack, Okta is pointing the finger at an employee who used his personal Google account on his work device. But management does not go unpunished either.

On October 23, Okta reported that a security incident had occurred. In a blog update, CTO David Bradbury confirmed that the intruders accessed data from 134 customers from September 28th to October 17th. For five customers, they even got into the customer environment of the authentication platform. One of these customers was the password manager 1Password. The perpetrator of the cyber attack has now been identified: an Okta employee.

The unfortunate employee was using his personal Google account on his work laptop. As a result, he had also stored his work account credentials in this personal account, possibly in Chrome’s built-in password manager. It’s rarely a good idea to mix personal and business accounts too much, and this employee was severely punished for it.

The account that was hacked was a service account, a type of account created as a human user account but used to perform automated tasks such as backups or antivirus scans. This makes it more difficult to secure this type of account with multi-factor authentication.

Give up your own breasts

Undoubtedly, the employee will have scolded heavily, although Okta leadership can also take their own initiative. Ars Technica points out some flaws in Okta’s security policy that led Okta to get this far. First, there were too few security measures in place for service accounts. Once they had obtained the access data, the attackers had a free hand.

Among other things, Okta could have implemented stricter controls on the IP addresses associated with service accounts and/or temporary authentication tokens for these types of accounts. It also took a relatively long time for Okta to notice that something was wrong with the network; it was 1Password that had to alert its supplier. These are painful mistakes for a company that specializes in secure authentication technology.

Okta has now introduced additional measures and will now only distribute tokens to service accounts based on network location, Bradbury confirms. The company also clarifies that employees are not allowed to use their personal accounts on their work laptop. Now this is a no-brainer, but Okta doesn’t plan on hitting the same stone twice.