Authentication Technology Provider Okta Breached by Lapsus$ Hacking Group

One of the largest identity authentication technology service providers, Okta, has confirmed a January security incident after the Lapsus$ hacking group published several screenshots on Twitter.

According to reports, the screenshots included internal Okta applications, a Jira bug ticketing system and company Slack channels. As the photos went viral and speculation on an Okta breach spread on social media, Okta co-founder and CEO Todd McKinnon confirmed the breach via Twitter.

Shortly after, Okta Chief Security Officer David Bradbury released an official statement stating that their analysis concluded that roughly 2.5% or approximately 360+ of their customers had been potentially impacted, and those customers had been identified and contacted.

There are several important questions and concerns as the story develops. From my perspective as an experienced cybersecurity professional, there are three primary topics to examine at this point

How did the LAPSUS$ Okta compromise happen?

Okta stated that the initial compromise originated from one of their sub-processors, Sitel. Specifically, it started in a support engineer’s laptop when it was accessed remotely by one or more malicious RDP sessions. Forensic efforts identified a 5-day window in which a threat actor had access to the Sitel environment. Additional details regarding root cause are unavailable at this time, but this should be seen as another example of third-party / supply-chain risk.

What is the potential impact of the Okta compromise?

Although Okta claims the potential impact was limited, the fact that a threat actor had access to reset passwords and MFA for 2.5% customers is worth noting as a significant concern and should not be easily dismissed. LAPSUS$ even responded to Okta’s original downplayed statements by calling out how significant their access was, suggesting that Okta hire a top-tier forensic firm publish the report.

What is next for impacted Okta clients?

Okta was and is confident that no corrective actions need to be taken by their customers. However, having known about the malicious activity since January, Okta failed to communicate to potentially affected customers. Bradbury directly addressed the impact on a live webinar that was broadcast on March 23 to the public.

 “I am greatly disappointed by the long period of time that transpired between our initial notification to Sitel in January, and the issuance of the complete investigation report just hours ago,” said Bradbury. “Upon reflection, once we received the Sitel summary report last week, we should have, in fact, moved more swiftly to understand its implications."

In addition to this admission, the Okta team claims to aim for transparency, which they are demonstrating by providing each customer with details of all related Sitel activity to enable them to perform their own analysis if desired.

Our cybersecurity team will be monitoring this story as it develops and are happy to discuss any concerns you have if you believe you are impacted by this or any other large scale cyber incident.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.