Okta has confirmed that they were hacked by LAPSUS$ ransomware group.
LAPSUS$ ransomware posted screenshots which they claimed were of Okta’s internal company environment yesterday. Today, the authentication services provider has updated a blog post confirming the breach:
“After a thorough analysis of these claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly,” Okta CSO David Bradbury said.
2.5% equates to 375 of Okta’s customers.
“If you are an Okta customer and were impacted, we have already reached out directly by email,” Bradbury continued.
It’s believed that the incident took place in January 2022.
In a subsequent statement, Okta published a series of updated blog posts providing more detail.
Chief security officer David Bradbury revealed the hackers had accessed the computer of a customer-support engineer working for the sub-processor, over a five-day period in mid-January.
The attack had been “analogous to walking away from your computer at a coffee shop, whereby a stranger has – virtually, in this case – sat down at your machine and is using the mouse and keyboard”, he said.
Discussing the breach, Jon Andrews, VP of EMEA at Gurucul, stated:
“The concern here is that Lapsus$ seems to be after sourcing code, which is a huge risk for all of Okta’s customers, who will find themselves with a factor of risk on their systems. In fact, once it’s leaked, source code could allow attackers to tailor their tactics and to make their activity look like legitimate, normal behaviour, which is not flagged by most security systems.
Okta, on the other hand, is doing a good job at responding promptly, with an investigation being launched and released to customers within 48 hours. The speed of response reflects the critical nature of this kind of compromises, which are becoming ever more common. Attackers such as Lapsus$ spend a long time within their victims’ network, looking for the pieces of information that, if released, will hurt the company the most.
Lapsus$ is interesting also because they seem to use different attack vectors every time – sometimes it’s a spear phishing email, some others it’s exploiting a dormant identity. This is proving effective because often organisations have different security systems that cover individual vectors within their infrastructure, but these security solutions don’t necessary communicate well with each other and fail to offer a holistic view of the environment and the threats within. It is for this reason that it is paramount to have a multi-layered security programme that can cover the entire attack surface and speed up detection… Two months is a long time to have an attacker poking around your systems.”