Authentication specialist Okta now admits that Lapsus$ may have in fact accessed customer data, after initially denying a breach
Authentication specialist Okta has backtracked and now conceded that some of its customers have been impacted by a data breach by the Brazilian-based hacking group Lapsus$.
The San Francisco-based firm provides authentication services for corporates including Fedex and Moody’s to provide access to their networks.
Late on Monday, the extortionist group Lapsus$ posted screenshots on its Telegram channel of what it claimed was internal Okta information.
However Okta said the alleged hack could be related to a previously undisclosed incident in January which has since been contained.
The failure to disclose that security incident two months, was then compounded when the firm’s chief security officer, David Bradbury, in a blog post on Tuesday insisted that “the Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.”
But hours after that, Bradbury in an update to that blog post, admitted that a “small percentage of customers” have potentially been impacted.
“As we shared earlier today, we are conducting a thorough investigation into the recent Lapsus$ claims and any impact on our valued customers,” he wrote in the update. “The Okta service is fully operational, and there are no corrective actions our customers need to take.”
“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5 percent – have potentially been impacted and whose data may have been viewed or acted upon.”
Hundreds of customers
Okta claims to have more than 15,000 customers in total, so if 2.5 percent compromise figure is correct, it could mean that up to 375 organisations must investigate logins to their systems.
“We have identified those customers and are contacting them directly,” wrote Bradbury. “If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.”
Bradbury insisted that Okta’s customers are its number one priority.
“We take our responsibility to protect and secure customers’ information very seriously,” he wrote. “We deeply apologise for the inconvenience and uncertainty this has caused.”
Okta’s Bradbury is hosting a live webinar tomorrow, Wednesday, 23 March (8am PDT), to share more technical details of the breach.
Lapsus$ has also this week alleged Microsoft could be its latest victim after it leaked 37GB of Redmond source code.
Microsoft at first said it was investigating the claim, but it then issued an update in which it revealed that while Lapsus$ did indeed manage to see some of its source code – as the gang claimed earlier this week – just one Microsoft account was compromised.
And the good news is that compromised account only offered “limited access” to source code.
Lapsus$ first began to be noticed in December, when it breached the Ministry of Health of Brazil, as well as number of Brazilian and Portuguese companies including the Portuguese media company Impresa, and South American telecoms Claro and Embratel.
In February Lapsus$ hacked GPU powerhouse Nvidia and released a 20GB document archive of 1TB of data stolen from the GPU designer. Nvidia confirmed that a cyber attacker had leaked employee credentials and some company proprietary information online after their systems were breached.
In February, Vodafone’s Portuguese unit was hit with a cyberattack that disrupted its services. Vodafone said at the time that customers’ personal data had not been compromised.
But that attack was so serious that Vodafone Portugal’s 4G/5G mobile networks were taken down, as was SMS texts, television services, answering services, and even fixed-line voice.
This month Vodafone revealed it was working with law enforcement to investigate hacking claims made by Lapsus$.
Lapsus$ also claimed responsibility earlier this month for the data breach of South Korean electronics giant Samsung, which resulted in the theft of 190GB of data.
The group also seemingly took credit for breaching Ubisoft this month.