Security News

Okta CEO: Oktapus Phishing Campaign Shows Need For Passwordless Security

David Harris

‘The vision here—and what customers need to do—is we need to move to having no password so it’s not phishable, and our platform can get them there,’ said Okta CEO Todd McKinnon.


Okta CEO Todd McKinnon said the recent massive phishing campaign known as Oktapus shows the need for customers to move to passwordless security settings.

“The vision here—and what customers need to do—is we need to move to having no password so it’s not phishable, and our platform can get them there,” said McKinnon during the San Francisco-based cybersecurity company’s second-quarter earnings conference call Wednesday. “But it’s very configurable now based on which resource you’re protecting and how risk-averse you are from these kinds of attacks.”

Oktapus, according to threat researchers Group-IB Threat Intelligence, focused its campaign on employees of companies that are customers of Okta. Those workers received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization, Group-IB wrote. As a result, more than 130 organizations have been compromised, including companies such as DoorDash and Twilio.

[RECENT STORY: Okta: Up To 366 Clients Had Data ‘Acted Upon’ in Lapsus$ Hack]

“The initial objective of the attackers was clear: obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. With this information in hand, the attackers could gain unauthorized access to any enterprise resources the victims have access to,” wrote Group-IB in a post.

“It’s actually a recent occurence of something that happens all the time, and that is there are these phishing attacks that go on all the time,” said McKinnon, when asked by an analyst about the phishing attack. “The threat actors, they try to use the most commonly used identity systems, and so they often target us. They often try to have a fake Okta site and get users to put in their credentials in this fake site and they can break in that way ... The unique thing is not that they targeted Okta customers, but for a few customers it actually worked and they got in. “

McKinnon said Okta is focused on being transparent about what it knows after a cyberattack, communicating as much as it can about the incident and making sure that customers and partners know about how to configure their security settings to avoid lax security settings.

For the second quarter of fiscal 2023, Okta reported total revenue of $452 million, an increase of 43 percent year-over-year. Subscription revenue was $435 million, an increase of 44 percent year-over-year.

The company reported a net loss for the quarter of $210.5 million, an improvement from last year’s net loss of $276.7 million during the same period.

Okta was expected to report $430.6 million in sales and an adjusted net loss of 30 cents per share, according to the consensus estimate from investment research firm Zacks. Okta reported an adjusted net loss of 10 cents per share.

For its next quarter, Okta said it expects total revenue of $463 million to $465 million, representing a growth rate of 32 percent to 33 percent year-over-year.

Okta stock sank more than 11 percent in after-hours trading Wednesday, falling to $81.10. Company shares are down more than 58 percent so far this year as the tech sector as a whole comes to grips with macroeconomic pressures, including inflation and supply chain disruptions.

Sponsored Post