Okta, an authentication company used by thousands of organizations around the world, has now confirmed that in January 2022, an attacker had access to one of its employees’ laptops for five days, and that about 2.5 percent of its customers may have been affected. , but maintains its position. service “has not been breached and remains fully operational.”
The revelation comes as hacking group Lapsus$ posted screenshots on its Telegram channel claiming to be from Okta’s internal systems, including one that appears to show Okta’s Slack channels, and another with a Cloudflare interface.
Any hack from Okta could have major implications for the businesses, universities and government agencies that depend on Okta to authenticate user access to internal systems.
“We have concluded that a small percentage of customers — about 2.5 percent — may have been affected and whose data may have been viewed or acted upon,” Okta chief security officer David Bradbury wrote in a message. Updating Tuesday evening. “We have identified those customers and are contacting them directly. If you are an Okta customer and have been affected, we have already contacted you directly by email. We share this interim update, consistent with our values of customer success, integrity and transparency.”
In an earlier statement on Tuesday afternoon, Okta said an attacker would have only had limited access during that five-day period — limited enough that the company claims “no corrective action is required by our customers.”
Here’s what Bradbury says is and isn’t at stake when one of his support engineers is compromised:
The potential impact on Okta customers is limited to the access that support engineers have. These technicians cannot create or delete users, or download customer databases. Support engineers do have access to limited data – for example Jira tickets and user lists – that were seen in the screenshots. Support engineers can also facilitate password resets and MFA factors for users, but cannot obtain those passwords.
In its Telegram channel, the Lapsus$ hacking group writes that it had “Superuser/Admin” access to Okta’s systems for two months, not just five days, that it had access to a thin client instead of a laptop, and claims that it found that Okta was storing AWS keys in Slack channels. The group also suggested it was using its zero access on Okta’s customers.
The Wall Street Journal notes Okta said in a recent filing that it had more than 15,000 customers around the world. It lists Peloton, Sonos, T-Mobile, and the FCC as customers on her website† Based on the given figure of “about 2.5 percent,” the number of these affected customers could be approaching 400.
In an earlier statement to Custom Hour, Okta spokesman Chris Hollis said the company has found no evidence of an ongoing attack. “In late January 2022, Okta discovered an attempt to compromise the account of a third-party customer service representative who worked for one of our subprocessors. The matter has been investigated and is being considered by the sub-processor.” said Hollis. “We believe the screenshots shared online are related to this January event.”
“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Hollis continued. But again, writing in their Telegram channel, lapsus$ suggested that it had access for a few months.
This is our 3rd attempt to share the 5th – 8th photo. LAPSUS$ displayed a lot of sensitive information and/or user information, so much so that we ended up missing a few to censor.
Photos 5 – 8 are attached below. pic.twitter.com/KGlI3TlCqT
— vx-underground (@vxunderground) March 22, 2022
Lapsus$ is a hacking group that has claimed responsibility for a number of high-profile incidents that hit Nvidia, Samsung, Microsoftand Ubisoft, who in some cases steal hundreds of gigabytes of confidential data.
Okta says it ended its Okta sessions with its support technician and suspended the account in January, but claims it didn’t receive the final report from its forensics company until this week.
Update, 2:38 PM ET: Added Okta’s statement, claiming that the hack was very limited, with no need for corrective action.
Update, 2:58 PM ET: Added the claim of the Lapsus$ hacker group that they had access to a thin client instead of a laptop, and that they discovered that Okta was storing AWS keys in Slack channels.
Update, 11:30 PM ET: Added details of Okta’s updated statement.