Begin Your Identity Security Journey

Identity Security Insights delivers deep visibility, threat detection, and actionable recommendations to safeguard your entire identity estate. Sign up to request a complimentary assessment of your current identity security posture, including 90 days of continuous monitoring against identity-based threats.

  • Gain unified visibility into all identities and related risks across all environments within 24 hours.
  • Detect threats such as session hijacking, privilege escalation, and more.
  • Improve your security posture by swiftly taking actions on recommendations and findings from integrated PAM products.

We are Trusted by 20,000+ Companies

Servicenow
HCL NEW Logo No Backgrd
Premier bankcard logo
Wynn color
20191028224628 Seyfarth Shaw logo
Carbonite color
IHG color
University of miami horizontal rgb

BeyondTrust Discovers Okta Breach with Identity Security Insights

October 2, 2023: Identity Security Insights detected an attacker trying to access an internal Okta admin account with a valid session cookie stolen from Okta support. We then alerted Okta to the breach nearly three weeks before public acknowledgment.

Okta Breach Detection FAQs


  • October 2, 2023 – BeyondTrust detected and remediated an identity-centric attack on an in-house Okta administrator account and alerted Okta
  • October 3, 2023 – BeyondTrust asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within Okta support organization
  • October 11, 2023 and October 13, 2023 – Held Zoom sessions with Okta security team to explain why we believed they might be compromised
  • October 19, 2023 – Okta security leadership confirmed they had an internal breach.


  • Okta session hijacking
  • Okta user performed administrative action using a proxy
  • Okta admin privileges were granted to a user
  • Okta password health report generated
  • Okta user with some level of admin access uses MFA vulnerable to SIM swapping


The Okta administrator’s account was protected with FIDO2 authentication, and policies within BeyondTrust’s Okta only allowed access to the admin console from managed devices with Okta Verify installed.

Our own instance of BeyondTrust’s Identity Security Insights, and tailored detections from our security teams, alerted us to several aspects of the intrusion. We immediately disabled the backdoor user account and revoked the attacker’s access before the account could be used and preventing any further actions.

BeyondTrust security experts have produced the following resources on the Okta breach and on how to improve Okta security:

Webinar: A Post Breach Analysis: Okta Support Unit, with BeyondTrust's Marc Maiffret, Chief Technology Officer; James Maude, Director of Research

Podcast: Breached! BeyondTrust Discovers Breach of Okta Support Unit, with BeyondTrust's Marc Maiffret, Chief Technology Officer; James Maude, Director of Research

Blog: Okta Support Unit Breach Update & Security Implications

Blog: BeyondTrust Discovers Breach of Okta Support Unit

Blog: How Securing Your Identity Store Can Help Stop an Identity-Related Breach

Prefers reduced motion setting detected. Animations will now be reduced as a result.