Okta, an authentication business utilized by countless organizations around the globe, has now confirmed an enemy had access to one of its workers’ laptop computers for five days in January 2022 — however claims its service “has not been breached and remains fully operational.”
The disclosure comes as hacking group Lapsus$ has published screenshots to its Telegram channel claiming to be of Okta’s internal systems, consisting of one that shows Okta’s Slack channels, and another with a Cloudflare interface.
Any hack of Okta could have significant implications for the business, universities, and federal government firms that depend upon Okta to validate user access to internal systems.
But in a declaration on Tuesday afternoon, Okta now says that an opponent would just have had restricted gain access to during that 5-day period — minimal enough that the company claims “there are no corrective actions that need to be taken by our customers.”
Here’s what Okta primary security officer David Bradbury says is and isn’t at stake when one of their assistance engineers is jeopardized:
The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.David Bradbury, Chief Security Officer, Okta
Writing in its Telegram channel, the Lapsus$ hacking group claims to have had “Superuser/Admin” access to Okta’s systems for two months, not simply 5 days, that it had access to a thin client rather than a laptop, and declares that it found Okta saving AWS secrets in Slack channels. The group likewise recommended it was utilizing its access to zero-in on Okta’s consumers.
In an earlier declaration, Okta representative Chris Hollis stated the business has not found proof of a continuous attack. “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.” Hollis said. “We believe the screenshots shared online are connected to this January event.”
“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Hollis continued. However again, writing in their Telegram channel, Lapsus$ recommended that it had access for a couple of months.
Lapsus$ is a hacking group that’s claimed responsibility for a number of high-profile occurrences affecting Nvidia, Samsung, Microsoft, and Ubisoft, in many cases stealing numerous gigabytes of confidential information.
Okta states it ended its support engineer’s Okta sessions and suspended the account back in January, however claims it only got the final report from its forensics company today.
The potential effect to Okta clients is limited to the access that support engineers have. Composing in its Telegram channel, the Lapsus$ hacking group declares to have had “Superuser/Admin” access to Okta’s systems for 2 months, not just five days, that it had access to a thin client rather than a laptop, and claims that it found Okta storing AWS keys in Slack channels. The group also suggested it was utilizing its access to zero-in on Okta’s clients. “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.”