They could see the names and contacts of employees at Okta’s customers and reset their credentials at a bare minimum per the leaked screenshot. That doesn’t seem that minimal?

Based on the screenshots, they could trigger password reset emails. They couldn't directly set the new password.

Not defending Okta's response here; I think it has been quite terrible.