Okta cross-tenant token leak — what your IdP logs should show

What happened

A logging defect in Okta’s admin console between April 11 and April 23 caused authenticated bearer tokens to be written to a shared system log accessible across tenant boundaries. An attacker with valid admin credentials in one tenant could read recent token material from any other tenant whose logs traversed the same processing path during the window.

Who is affected

• Okta Workforce Identity customers on Workforce 2024.04.0 → 2024.04.7
• Okta Customer Identity (Auth0) is not affected by this specific defect

What this enables for an attacker

Tokens captured during the window are valid until the natural expiration of the parent session (typically 24 hours). An attacker who exfiltrated tokens before April 23 could replay them through April 24 to mint downstream sessions in apps integrated with the affected Okta tenant.

What to do this week

1. Pull Okta System Log for policy.evaluate_sign_on and user.session.start events between 2026-04-11T00:00Z and 2026-04-24T00:00Z.
2. Hunt for impossible travel in user.session.start — same user, two geographies, less than the speed of a commercial flight apart. Anything that fires after April 23 deserves direct inspection.
3. Force re-authentication on all admin-role users globally. This is a five-minute action, costs nothing operationally, and shrinks the residual exposure surface.
4. Rotate Okta API tokens issued before April 24, especially any used in CI/CD pipelines.

The math, plainly

A confirmed Okta token-replay incident in a 200-employee firm runs roughly $180K–$320K once forensics, notification, and response are tallied (IBM 2024, financial services band). Steps 1–4 above take a half-day of admin time. The math is not complicated.

---

Drafted by Carbynix’s structured-reasoning pipeline from the linked advisory and customer-environment telemetry. Errors? Tell us — we correct in 24 hours.