Okta: Okta support-portal HAR file leak exposes 134 customer environments
A threat actor used a service-account credential stored in a personal Google account to access Okta's customer-support case-management system and download HAR files containing session tokens for 134 customer organisations.
2 of the 3 practices that failed in this incident are part of the Sentinel-10 — the engineering protocols Concordance flags as most degraded under AI-accelerated development.
This incident pre-dates today's AI-velocity surge. The thesis is that the same practices that failed here will fail faster under AI velocity if not actively governed. Read the Velocity Governance thesis →
Impact
Multiple Okta customers including 1Password, BeyondTrust, and Cloudflare publicly disclosed downstream incidents. Okta stock dropped ~11% on disclosure.
Root cause (from published RCA)
A service account used to access the Okta customer-support system was stored in an employee's personal Google profile. The personal Google account was compromised, exposing the service-account credential. The service account had access to the customer-support case-management system where customers had uploaded HAR files containing valid session tokens.
Concordance protocols that map to this root cause
Click any protocol to see every other indexed incident where it failed.
Primary sources
Related incidents
Other incidents that failed at least one of the same protocols.