Authentication Specialist Okta Denies Data Breach

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

Okta says there was an unsuccessful compromise attempt in January via a third party, but it had limited potential impact to its customers

Authentication specialist Okta has dismissed reports of a data breach by the Brazilian-based hacking group Lapsus$.

San Francisco-based Okta provides authentication services for corporates including Fedex and Moody’s to provide access to their networks.

Late on Monday, the extortionist group Lapsus$ posted screenshots on its Telegram channel of what it claimed was internal information.

data breach, security breaches

Contained incident

In an accompanying message, the hacking group said its focus was “ONLY on Okta customers.”

However Okta has said the alleged hack could be related to a previously undisclosed incident in January which has since been contained.

The firm’s chief security officer, David Bradbury, provided an update in a blog post on Tuesday.

“The Okta service has not been breached and remains fully operational,” Bradbury wrote. “There are no corrective actions that need to be taken by our customers.”

Bradbury revealed that Okta had detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider in January.

“As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account,” wrote Bradbury. “Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.”

Okta said it has received a report from the forensics firm this week.

“The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” wrote Bradbury. “This is consistent with the screenshots that we became aware of yesterday.”

But Bradbury wrote the potential impact to Okta customers is limited to the access that support engineers have.

“These engineers are unable to create or delete users, or download customer databases,” wrote Bradbury. “Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”

Bradbury said Okta is actively continuing its investigation, including identifying and contacting those customers that may have been impacted.

“There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers,” stressed Bradbury. “We take our responsibility to protect and secure our customers’ information very seriously. We are deeply committed to transparency and will communicate additional updates when available.”

Busy Lapsus$

Meanwhile security experts are still warning Okta customers to proceed with caution, pointing out it has taken two months for the firm to acknowledge the incident in January.

“The Lapsus$ group is heavily turning up the heat on multiple organisations and to make matters worse, these images are being posted up to two months after the breach has occurred,” noted Jake Moore, global cyber security advisor at ESET.

“The attackers have had plenty of time to learn their way around and have free reign on the whole network completely undetected,” cautioned Moore. “Okta’s customers along with customers of companies who also rely on the technology must now be extra vigilant and cautious of any suspicious activity on their accounts, especially from unsolicited emails.”

Lapsus$ has also this week alleged Microsoft could be its latest victim after it leaked 37GB of Redmond source code.

Microsoft said it is investigating the claim.

Lapsus$ first began to be noticed in December, when it breached the Ministry of Health of Brazil, as well as number of Brazilian and Portuguese companies including the Portuguese media company Impresa, and South American telecoms Claro and Embratel.

In February Lapsus$ hacked GPU powerhouse Nvidia and released a 20GB document archive of 1TB of data stolen from the GPU designer. Nvidia confirmed that a cyber attacker had leaked employee credentials and some company proprietary information online after their systems were breached.

In February, Vodafone’s Portuguese unit was hit with a cyberattack that disrupted its services. Vodafone said at the time that customers’ personal data had not been compromised.

But that attack was so serious that Vodafone Portugal’s 4G/5G mobile networks were taken down, as was SMS texts, television services, answering services, and even fixed-line voice.

This month Vodafone revealed it was working with law enforcement to investigate hacking claims made by Lapsus$.

Lapsus$ also claimed responsibility earlier this month for the data breach of South Korean electronics giant Samsung, which resulted in the theft of 190GB of data.

The group also seemingly took credit for breaching Ubisoft this month.