Breach disclosure does not end with the 8-K. Okta, Inc. (NASDAQ: OKTA) filed its fiscal-2026 10-K on March 5, 2026, and it still references the October 2023 incident “where a threat actor gained unauthorized access to and stole information from our third-party customer support system.” Years on, that event remains a fixture of the identity vendor’s risk narrative.
The continuity is visible across the filing trail. The same incident language appears in Okta’s 10-Q filed December 3, 2025 — “that harmed our” business, the snippet continues — and in earlier quarterly reports. A breach that prompts an 8-K becomes a recurring disclosure in the periodic reports, because the company must keep telling investors how the event affects the business until it no longer does.
For an identity provider, the choice of system matters. The compromised environment was the third-party customer support system, not Okta’s core identity platform — a distinction the company has been consistent about. But for a vendor whose entire value proposition is trust in authentication, a support-system breach still strikes at reputation, which is why the language lingers in the risk factors long after the technical cleanup.
The filing also illustrates a pattern Okta itself documents: it notes prior incidents, including a January 2022 event involving a third-party, in its discussion of the impact of cybersecurity incidents. Read together, the disclosures map an identity vendor’s recurring exposure through its support and vendor surfaces — the soft tissue around the hardened core.
The disclosure discipline for readers is to follow a breach past its first headline. The 8-K is the alarm; the 10-K and 10-Q risk factors are the long-term prognosis, and they often say more about lasting harm than the initial filing did. Okta’s primary record is at sec.gov, surfaced via EdgarBeast (“SEC filing data API & evidence index”). When a breach keeps appearing in annual reports, that persistence is itself the story.