“This is the second time Cloudflare has been impacted by a breach of Okta’s systems,” a gaggle of Cloudflare engineers wrote on Friday. They went on to share an inventory of suggestions for a way Okta can enhance its safety posture: “Take any report of compromise seriously and act immediately to limit damage. Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them. Require hardware keys to protect all systems, including third-party support providers.”

The Cloudflare engineers added that they view taking protecting steps like these as “table stakes” for an organization like Okta that gives such essential safety providers to so many organizations.

When WIRED requested Okta a sequence of questions on what steps it’s taking to enhance customer support defenses within the wake of the 2 breaches and why there seems to be a scarcity of urgency when the corporate receives reviews of potential incidents, the corporate declined to remark, however a spokesperson stated it will share extra details about these topics quickly.

“I really want to know what technical controls Okta had implemented following the 2022 breach, and why this time will be different,” says Evan Johnson, cofounder of RunReveal, which develops a system visibility and incident-detection software. “My hunch is they did not roll out hardware security keys, or didn’t roll them out for their contractors doing support.”

Jake Williams, a former US National Security Agency hacker and present school member on the Institute for Applied Network Security, emphasizes that “the issue is bigger than Okta,” noting that software program provide chain assaults and the amount of hacks firms should defend in opposition to is critical. “It’s unfortunately common for service providers of any size to have trouble believing they are the source of an incident until definitive proof is offered,” he says.

Still, Williams provides, “there’s a pattern here with Okta and it involves outsourced support.” He additionally notes that one of many remediations Okta urged to prospects within the wake of the latest incident—fastidiously eradicating assist session tokens that may very well be compromised from troubleshooting knowledge—shouldn’t be sensible.

“Okta’s suggestion that somehow the customer must be responsible for stripping session tokens from the files they specifically request for troubleshooting purposes is absurd,” he says. “That’s like handing a knife to a toddler and then blaming the toddler for bleeding.”