Okta posted a strange message on Friday about a problem in their system. Under certain conditions, someone may have been able to log in without entering a real password. This only worked if the username was long, over 52 letters or numbers.
Normally Okta checks that you enter the right password when you log in. But it seems there was a bug. If the system had saved details from before when someone logged in correctly, and their username was long, it wouldn’t check the password was right. This also only worked if the server that checks passwords was too busy, or some companies didn’t use extra security steps like a code sent to your phone.
The flaw has been there since July, but Okta only fixed it in October when they found it. They changed how the system saves login details to make it safer. Okta wants any companies using their software to check for suspicious logins over the last 3 months, in case someone took advantage while it wasn’t checking passwords properly for very long usernames.
It’s good that Okta fixed the problem now. People rely on services like Okta to keep their accounts private. Hopefully, no one was able to access accounts they shouldn’t have. Companies and Okta will keep working on security to make logging in safer in the future.
