A vulnerability in a third party call center opened the company up to a data breach.

On Monday, Okta CEO Todd McKinnon gave an interview to Bloomberg Television in which he addressed the massive hack that the company suffered in January. McKinnon admitted that Okta doesn’t yet know how many of its customers were affected by the data breach that the company waited nearly two months to make public.

Okta, which provides user authentication services, revealed last month that it had been hacked in January after a group taking responsibility for the intrusion, Lapsus$, posted screenshots that appeared to show access to Okta accounts. As the “trusted identity provider for over 15,000 companies,” McKinnon said, “anytime something like this happens, it’s a big deal.”

The hackers used an unnamed competitor’s software to break into a third-party call center, where about 40 people acted as support agents for Okta to provide help to customers, he said. Hackers took screenshots of what the support agents were doing on their computers and posted them, McKinnon said.

“I want to be really clear that we’re responsible,” he said. “So third-party this and third-party that. It’s our responsibility to make sure this stuff doesn’t happen.”

Admitting to an “unacceptable” delay in communication

McKinnon said as many as 366 customers were potentially affected, but the investigation hasn’t yet determined the exact number.

While Okta learned about the security incident in January, the San Francisco-based company confirmed the compromise on March 22, after Lapsus$ hackers went public with evidence of a breach. The delay was “unacceptable,” McKinnon said Monday, adding that the “communication was not as clear as it should have been.” 

But he said an initial investigation in January didn’t reveal the extent of the incident.

“For all intents and purposes, the first time we knew about the severity of this and what hackers actually got, was on March 22,” he said. He said the technical impact to the customers – what they need to do, what disclosures they need to make –  is “near zero.”

Okta also is preparing to release a report to customers including more details about the incident, he said. The company no longer works with the call center where the compromise occurred. 

“We are a trusted brand and that trust has been damaged,” McKinnon said.