BeyondTrust reported the issue. Cloudflare is the first known Okta customer targeted, and 1Password is the second known. I think that’s what Ars is saying?
All 3 customers detected it quickly on their own. It sounds from their blog posts that BeyondTrust and Cloudflare both had good alerting that immediately alerted them to the problem. It sounds like 1Password's alerting wasn't as good, and they got lucky that the impacted employee saw a suspicious email saying "here's the report you requested" thought "I didn't request that report" and reported the suspicious email to the security response team.
All 3 customers discovered the issue before Okta fixed the issue. I think all 3 reported the issue to Okta before Okta fixed the issue, but I'm not sure. 1Password and BeyondTrust both reported the issue to Okta before Okta discovered the issue (although 1Password wasn't sure whether the cause was a compromise of Okta's support or malware on the laptop; 1Password didn't find malware, but still thought there might be some). I'm not sure whether Cloudflare reported the issue to Okta before Okta fixed the issue, but it seems likely due to timing. Cloudflare was compromised Oct 18 and immediately discovered it, and the very next day Okta fixed the issue, whereas previously the issue had been languishing for 19 days. That seems to indicate to me that Cloudflare reported it to Okta and Okta kicked their incident response into high gear due to Cloudflare's report.
All 3 customers posted blog posts about the issue after Okta posted a blog post about the issue.
The order they were targeted was: 1Password (Sept 29), BeyondTrust (Oct 2), Cloudflare (Oct 18). I think they reported the issues to Okta in that same order (BeyondTrust reported the issue to Okta the same day they were targeted, I'm not sure about 1Password, and as mentioned above, I suspect Cloudflare reported the issue to Okta the same day they were targeted).
The order they posted blog posts about the issue was: Okta, BeyondTrust, Cloudflare, 1Password.
>Security firm BeyondTrust said it discovered the intrusion after an attacker used valid authentication cookies in an attempt to access its Okta account. The attacker could perform “a few confined actions,” but ultimately, BeyondTrust access policy controls stopped the activity and blocked all access to the account. 1Password now becomes the second known Okta customer to be targeted in a follow-on attack.
That seems to say "BeyondTrust was first and 1Password was second".
