Okta: Lapsus$ Infringement Could Affect Hundreds of Customers

Missed a session at the Data Summit? View here on demand.

Okta said Tuesday evening that about 2.5% of its customers may have been affected by the data breach by the Lapsus$ hacker group in January.

The identity and access management provider has not specified how the customers may have been affected.

“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – may have been affected and whose data may have been accessed or acted upon,” Okta chief security officer David Bradbury said in an update. to the company’s mail regarding the Lapsus$ infringement.

Earlier on Tuesday, Bradbury disclosed that in January, Lapsus$ had access to the account of a customer service representative who worked for a third-party provider for five days.

In a separate post on Tuesday about Okta’s investigation into the breach, Bradbury said the “maximum potential impact” of the breach is 366 customers (about 2.5% of Okta’s 15,000 customers).

Bradbury also identified the third-party provider as Sitel, which provides Okta contract workers for customer support. Despite an investigation launched Jan. 21 by a “leading forensics firm,” Okta did not receive a report from Sitel about the incident until March 17, Bradbury said.

“I am deeply disappointed at the length of time that has elapsed between our notification to Sitel and the issuance of the full investigation report,” Bradbury said in the post about the investigation. “In retrospect, once we received Sitel’s summary report, we should have acted faster to understand its implications.”

lapsus$ leaking

The revelations by Okta were in response to screenshots Lapsus$ posted to Telegram showing what the threat actor said as “access to Okta.com Superuser/Admin and various other systems”.

In the updated post Tuesday night, Bradbury reiterated that “the Okta service is fully operational and there are no corrective actions for our customers to take.”

However, not everyone in the tech industry was reassured by Okta’s latest statement about the incident.

“I said last night this was really bad. Today I trusted Okta and thought it was okay,” Dan Starner, an infrastructure software engineer in Salesforce’s Heroku division, said in a statement. tweet

But after the latest revelation that more than 2.5% of customers may have been affected, “now I know it’s really bad and I don’t trust Okta anymore,” Starner wrote on Twitter. “Security is tough and breaches happen, but lying by omission is worse than telling us our data may be compromised.”

VentureBeat has reached out to Okta for comment.

Impact unclear

While we now know that the number of affected customers is likely in the hundreds rather than the thousands, “it remains unclear how they were affected,” Emsisoft threat analyst Brett Callow said in a statement. tweet

In the updated post, Bradbury said Okta has identified the affected customers and has “already contacted them directly by email”.

“We take our responsibility to protect and secure customer information very seriously,” he said. “Our sincere apologies for the inconvenience and uncertainty this has caused.”

Past customers have included JetBlue, Nordstrom, Siemens, Slack, Takeda, Teach for America, Twilio, GrubHub, Bain & Company, Fidelity National Financial, Hewlett Packard Enterprise, T-Mobile, Sonos and Moody’s customers disclosed by Okta. In 2017, Okta said the US Department of Justice was a client.

In the original post earlier today on Tuesday, Bradbury acknowledged that “there was a five-day period between January 16 and 21, 2022, during which an attacker had access to a support technician’s laptop.”

“This is consistent with the screenshots we became aware of yesterday,” he said, referring to the screenshots Lapsus$ posted on Telegram.

‘Do not disclose’

Bradbury said the “potential impact on Okta customers is limited to the access that support technicians have.”

These technicians “cannot create or delete users, or download customer databases. Support technicians do have access to limited data — for example, Jira tickets and user lists — that were seen in the screenshots,” he said. Facilitate MFA factors for users, but cannot obtain those passwords.”

Security researcher Runa Sandvik said on Twitter on Tuesday that some “might be confused because Okta says the ‘service has not been breached’.”

“The statement is purely a legal soup of words,” Sandvik said. “The fact is that a third party has been violated; that infringement affected Okta; not disclosing it impacted Okta’s customers.”

Series of attacks

Lapsus$ has indicated that it does not have access to Okta itself. “Our focus was ONLY on okta customers,” the group said in its Telegram message.

In a Telegram post Tuesday, in response to Okta’s statement about the breach, Lapsus$ claimed that “the potential impact on Okta customers is NOT limited.”

“I’m pretty sure that resetting passwords and MFA would result in a complete compromise of many client systems,” the group said. Lapsus$ also claimed that Okta “stored AWS keys in Slack”.

Lapsus$ is believed to be active in South America. In the past month, Microsoft, Nvidia and Samsung Electronics confirmed the threat actor’s data theft.

On Monday, Lapsus$ had claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana on Telegram.

In a blog post Tuesday, Microsoft said Lapsus$ had gained “limited access” to Microsoft systems by compromising a single account. “Our cybersecurity response teams rushed to recover the compromised account and prevent further activity,” Microsoft researchers said.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

This post Okta: Lapsus$ Infringement Could Affect Hundreds of Customers

was original published at “https://venturebeat.com/2022/03/22/okta-lapsus-breach-may-impact-hundreds-of-customers/”