Update from Okta - Heartbleed
You’ve likely read about the Heartbleed vulnerability that has affected much of the Internet. The short version: Heartbleed is a bug that affects the way online services encrypt connections between their service and their users, and if not corrected can lead to sensitive information being revealed. Most services and sites on the Internet use OpenSSL, the code that was affected, making Heartbleed a top story this week. We want to tell you about Okta’s response.
Summary
Security companies set themselves apart with their response times. Since the initial alert regarding Heartbleed, Okta quickly addressed the bug, updated its service, and eliminated any Heartbleed vulnerabilities going forward.
We have no evidence that any Okta customers have been maliciously impacted by this vulnerability, and we continue to actively monitor and investigate any and all potential issues.
We’ve been working with our customers to outline additional steps they can take going forward. An example is enabling Multi-factor Authentication for even more security. For our customers, all of those steps are outlined here.
What We’ve Done
Okta immediately updated our service to completely address the OpenSSL Heartbleed vulnerability. Specifically, we:
-
Updated OpenSSL on all HTTPS endpoints and restarted all services
-
Re-issued all SSL certificates using new signing keys
-
Expired all user sessions
These steps effectively addressed all known Heartbleed vulnerabilities within the Okta service.
Further, Okta has enabled, at no additional cost, Multi-factor Authentication capability for all of our customers.
Lastly, Okta has outlined additional measures that should be considered; for our customers, they are listed here.
If you have any questions regarding any of this, definitely reach out to us directly at any time -- [email protected] or call us 1-800-219-0964
Further Reading: