^{This article originally appeared on Business Insider.}

Okta’s recent data breach was a lot bigger than previously disclosed.

The password authenticator was hit by a cyberattack in September and said earlier this month that just 1% of its customers were affected.

But in a blog post Wednesday, Okta said hackers stole a report that included the names and email addresses of “all Okta customer support system users.”

David Bradbury, Okta’s chief security officer, said in the post: “While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks.”

Bradbury advised all customers to use multi-factor authentication, which requires more than one security test, to keep their information safe online.

San Francisco-based Okta offers companies identity management tools including single sign-in and multi-factor authentication for secure website logins. The company has more than 18,000 corporate clients including FedEx, S&P Global, T-Mobile and Zoom, per its website.

The company also suffered at least two security breaches last year, TechCrunch reported. A group of hackers called Lapsus$ extortion group accessed a customer support engineer’s account in January 2022 and shared screenshots of Okta’s systems, per the report.

Then in August hacking group Scatter Swine gained access to Okta customer data, it claimed in a blog post, breaching more than 100 companies including software firm Twilio.

Okta didn’t immediately respond to a request for comment from Business Insider, made outside normal working hours.