In a new blog post on Friday, the identity management company said that from September 28, to October 17, a threat actor “gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.”

Oh, that doesn’t seem bad.

“The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers,” the company said, noting that three of the customers — password manager 1Password, access management firm BeyondTrust and internet security company Cloudflare — have already come forward with their own reports about what happened.

Wait, each customer each individually could be holding millions of passwords. Well yikes.