A hacking group that recently extorted Samsung, Nvidia and Microsoft after stealing and publishing their source code said Monday it also accessed systems used by Okta, a major tech vendor to finance and other industries.
Okta’s services vary among the
The incident is a cautionary tale about the security dangers of working with third parties, the reputational damage that can come from hackers’ leaks, and the need to disclose details of a security breach and respond to comments about it as quickly as possible.
On Tuesday, Okta confirmed some of the claims by the cybercriminals, known as Lapsus$, and said the group had gained access to certain data on 366 (approximately 2.5% of) Okta customers. The group did so by gaining access through a third-party contractor, Sitel.
Among the banks and credit unions that patronize Okta are
Major nonbank
Lapsus$ said it “did not access” or steal “any databases from Okta.” Okta said the data Lapsus$ could see was “limited to the access that support engineers have,” which does not include the ability to create or delete user identity or login information, nor the ability to download customer databases.
“Support engineers do have access to limited data — for example, Jira [helpdesk] tickets and lists of users — that were seen in the screenshots,” David Bradbury, chief security officer for Okta, said in a blog post. “Support engineers are also able to facilitate the resetting of passwords and multifactor authentication factors for users, but are unable to obtain those passwords.”
Lapsus$ posted those screenshots in its channel on Telegram, a messaging service, Monday night. Among other items, the screenshots show an Okta system called SuperUser, specifically for one of Okta’s major customers, Cloudflare. The internet services provider
Within two hours after Lapsus$ posted the screenshot, Cloudflare CEO Matthew Prince
Just before 4:30 a.m. Eastern Time on Tuesday, Okta CEO Todd McKinnon
For some, the statement seemed to constitute an admission from Okta that it had suffered a security incident in January. Skeptics also said McKinnon’s claim that the compromise was “unsuccessful” did not track with what Lapsus$ seemed to show with its screenshots — that the cybercriminals had successfully gotten into part of Okta’s systems.
In that midst, Forbes
The screenshots are very worrisome. In the pictures below, LAPSUS$ appears to have gotten access to the @Cloudflare tenant with the ability to reset employee passwords: pic.twitter.com/OZBMenuwgJ
— Bill Demirkapi @ ShmooCon (@BillDemirkapi) March 22, 2022
Okta then published another
After the update, Lapsus$ trolled Okta in its Telegram channel, including by pointing out Okta customers had only learned that day about a breach that happened in January, a complaint others also made.
“Okta now says 2.5% of customers may have been impacted and they are contacting them,” said Eva Galperin, director of cybersecurity for the policy advocacy group Electronic Frontier Foundation, linking to the Okta update. “This seems like something they should have done two months ago.”
Long after companies including
One of the key details he shared was that it took just under two months for a forensic firm to investigate the January incident on behalf of Sitel, a subprocessor that provides Okta with contract workers for its customer support operations. Lapsus$, Bradbury said, had gained access to the laptop of a Sitel employee.
“The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard,” Bradbury said in a blog post.
Sitel retained a forensics firm to investigate the incident, but it took nearly two months for the firm to complete the assessment and another week for Sitel to share the results with Okta. Bradbury said Sitel shared the report on March 17, and Lapsus$ shared screenshots from the breach five days later — apparently before Okta even fully reviewed the report.
“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” Bradbury said in a blog post. “Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”