If a transgression by a single employee breaches your network, you're doing it wrong. //

Accessing personal accounts at a company like Okta has long been known to be a huge no-no. And if that prohibition wasn’t clear to some before, it should be now. The employee almost surely violated company policy, and it wouldn’t be surprising if the offense led to the employee’s firing.

However, it would be wrong for anyone to conclude that employee misconduct was the cause of the breach. It wasn’t. The fault, instead, lies with the security people who designed the support system that was breached, specifically the way the breached service account was configured. //

First, Okta should have put access controls in place besides a simple password to limit who or what could log into the service account. One way of doing this is to put a handful of company-controlled IP addresses on an allow list and to block all others unless additional credentials are supplied. Another is to regularly rotate access tokens used to authenticate to service accounts. And, of course, it should have been impossible for employees to be logged in to personal accounts on a work machine. These and other precautions are the responsibility of senior people inside Okta.