Okta: Lapsus$ attackers had access to support engineer’s laptop

Okta states that a quick investigation into the sharing of screenshots showing to show a info breach has revealed they relate to a “contained” safety incident that took put in January 2022. 

Okta, an organization id and access management business, launched an inquiry immediately after the LAPSUS$ hacking team posted screenshots on Telegram that the hackers claimed were being taken after acquiring entry to “Okta.com Superuser/Admin and a variety of other devices.”


Screenshot by way of Telegram

The photos had been shared about Telegram and numerous social media networks this week. 

“For a service that powers authentication devices to numerous of the premier organizations (and FEDRAMP approved) I think these stability steps are pretty inadequate[…],” LAPSUS$ reported. “Just before people start out asking, we did not accessibility/steal any databases from Okta — our target was only on Okta shoppers.”

In an emailed statement on Tuesday, Okta claimed the screenshots shared on line “appear to be linked to a protection celebration in late January.”

Okta claimed:

“In late January 2022, Okta detected an endeavor to compromise the account of a third-get together client guidance engineer functioning for one particular of our subprocessors. The matter was investigated and contained by the subprocessor. We believe that the screenshots shared on the net are linked to this January party.”

“Primarily based on our investigation to day, there is no proof of ongoing malicious action outside of the exercise detected in January,” Okta included. 

In a tweet, Cloudflare CEO Matthew Prince extra to the dialogue, commenting:

“We are aware that Okta could have been compromised. There is no evidence that Cloudflare has been compromised. Okta is simply an identity provider for Cloudflare. Fortunately, we have many levels of stability over and above Okta, and would by no means take into consideration them to be a standalone selection.”

Lapsus$ is a hacking team that has swiftly lifted alone via the ranks by allegedly breaking into the techniques of large-profile businesses, one soon after the other, in purchase to steal facts and threaten to leak it on the net unless blackmail payments are built.

New breaches linked to the team incorporate these seasoned by Samsung, Nvidia, and Ubisoft. 

On Sunday, a screenshot was shared that proposed an alleged Microsoft breach may have taken area, probably by way of an Azure DevOps account, while the article has considering that been deleted. Microsoft is investigating.

Based mostly in San Francisco, Okta is a publicly-traded firm with hundreds of buyers, together with numerous technological know-how distributors. The firm accounts for FedEx, Moody’s, T-Cellular, JetBlue, and ITV among the its consumers. 

“Lapsus$ is identified for extortion, threatening the release of delicate information and facts, if needs by its victims are not built,” commented Ekram Ahmed, spokesperson at Check out Issue. “The team has boasted breaking into Nvidia, Samsung, Ubisoft and some others. How the group managed to breach these targets has never ever fully been apparent to the general public. If legitimate, the breach at Okta may well explain how Lapsus$ has been able to realize its latest string [of] successes.”

Update 19.07GMT: Okta has furnished further more details of the cybersecurity incident. In an up to date assertion, the technological innovation seller mentioned “Okta provider has not been breached and continues to be fully operational. There are no corrective actions that will need to be taken by our customers.”

Okta also stated that for the duration of the January incident, the impacted consumer assist engineer’s account was quickly suspended when a 3rd-bash cyberforensics organization investigated the difficulty. 

“Following the completion of the assistance provider’s investigation, we gained a report from the forensics company this 7 days,” Okta stated. “The report highlighted that there was a 5-day window of time between January 16-21, 2022, where by an attacker experienced entry to a guidance engineer’s notebook.”

The company commented:

“The possible affect to Okta shoppers is limited to the access that aid engineers have. These engineers are unable to create or delete buyers, or down load client databases. Support engineers do have accessibility to confined information — for example, Jira tickets and lists of buyers — that were being observed in the screenshots. Support engineers are also in a position to aid the resetting of passwords and multi-component authentication things for end users, but are unable to receive individuals passwords.”

Okta’s investigation is ongoing. The organization added that there is no impact to Auth0, HIPAA, or FedRAMP buyers.

Update 7.39am GMT 23/3: Okta has now revised its estimate to likely effects 2.5% of prospects. 

Earlier and similar coverage

Have a suggestion? Get in contact securely through WhatsApp | Sign at +447713 025 499, or about at Keybase: charlie0