The new security advisory has Okta revealed that he had a system weakness This allowed people to log into the account without providing the correct password. Okta has exceeded password authentication if the account has a username of 52 or more characters. In addition, its system had to detect a “stored cache key” of a previous successful authentication, meaning the account holder had a previous login history using that browser. It also reportedly did not affect organizations that require multi-factor authentication notice that the company sends to its users.
Again, a 52-character username is easier to guess than a random password – it can be as simple as a person’s email address with their full name along with their organization’s website domain. The company admitted that the vulnerability was introduced as part of a standard update released on July 23, 2024, and that it only discovered (and fixed) the problem on October 30. It now checks customers who meet all the conditions of the vulnerability by checking their log for the last few months.
Okta provides software that makes it easy for companies to add authentication services to their application. For organizations with multiple applications, it gives users access to a single, unified sign-on so they don’t have to verify their identity for each application. The company did not say whether it was aware of anyone affected by this particular issue, however promised “communicating with customers faster” in the past after the Lapsus$ threat group entered multiple user accounts.