A threat actor is claiming to have breached Okta, alleging the exposure of approximately 3.3 million records associated with the company’s customer support and community platform. The listing, published June 28, 2026, claims the dataset contains user profile and account management information rather than authentication credentials or production identity infrastructure. The claims remain unverified at time of publication.
Support portal accounts allegedly exposed
According to the listing, the alleged dataset contains approximately 3,298,572 records tied to Okta’s customer help platform and community accounts.
The threat actor claims the exposed information includes display names, surnames, community nicknames, user types, badge information, account status, last login dates, email and phone verification status, portal access settings, profile photo URLs, preferred language, locale, time zone, account creation dates, password expiration dates, delegated approver identifiers, administrative notification preferences, user IDs, and profile IDs.
The listing does not claim authentication credentials, passwords, multi-factor authentication secrets, or customer tenant data were included in the alleged breach. Based on the fields described, the purported dataset appears to relate to user accounts within Okta’s support and community environment rather than the company’s core identity and access management platform.
Metadata could enable targeted social engineering
Although the alleged dataset does not appear to contain passwords or payment information, profile metadata of this nature can still present security risks if authentic. User roles, account status, login activity, and verification details could help threat actors identify active users for phishing campaigns, social engineering attacks, or reconnaissance targeting organizations that rely on Okta services.
Support and customer portal environments have become increasingly attractive targets because they often contain organizational metadata that can assist follow-on attacks. Earlier this month, LastPass confirmed customer support data was stolen following the Klue supply chain breach, illustrating how information from support platforms can become valuable to attackers even when production systems are not directly compromised.
No evidence provided to verify claims
The threat actor did not publish technical evidence demonstrating how the alleged data was obtained, nor were any details provided regarding the intrusion method or affected systems. While the claimed record count and field descriptions appear internally consistent, the allegations have not been independently verified.
The listing also does not establish whether the purported records are current, historical, or compiled from multiple sources.
Okta has not publicly addressed the claim
Okta had not issued any public statement at time of publication regarding the alleged breach or the dataset being advertised.
BreachNews will post an update if Okta confirms the incident, disputes the claims, or additional evidence becomes available.
