Okta, an authentication company used by thousands of organizations around the world, has confirmed that an attacker gained access to one of its employees’ laptops for five days in January 2022 – but claims that its service “has not been hacked and is still fully functional”.
The revelation comes as hacking group $Lapsus has published screenshots of its Telegram channel claiming to be from Okta’s internals, including one that appears to show Okta Slack channels, and one with a Cloudflare interface.
Any hack of Okta could have major repercussions for businesses, universities, and government agencies that rely on Okta to authenticate user access to internal systems.
But In a statement Tuesday afternoonNow, Okta says the attacker only had limited access during that five-day period — limited enough that the company claims there are “no corrective actions our customers should take.”
Here is what David Bradbury, Okta’s chief security officer, says is at risk when a support engineer is compromised:
The potential impact of Okta’s customers is limited to the reach of the support engineers. These engineers are unable to create or delete users, or download client databases. Support engineers have access to limited data – for example, Jira tickets and user lists – seen in the screenshots. Support engineers are also able to facilitate password resets and MFA Users agents, but they are unable to get these passwords.
Hacking group $Lapsus, writing on its Telegram channel, claims to have had “user/administrator” access to Okta’s systems for two months, not just five days, and to have access to a thin client instead of a laptop, and claims to have found Okta stores AWS Keys in Slack Channels. The group also indicated that it was using its zero access in Okta clients. The Wall Street Journal Notes That in a recent filing, Okta said it has more than 15,000 customers worldwide. It lists the likes of Peloton, Sonos, T-Mobile, and FCC as customers On his website.
In a previous statement sent to the edgeOkta spokesperson Chris Hollis said the company has found no evidence of an ongoing attack. “In late January 2022, Okta discovered an attempt to hack into the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.” Hollis said. “We believe the screenshots shared online are related to this January event.”
“Based on our investigation to date, there is no evidence of ongoing malicious activity other than the activity detected in January,” Hollis continued. But again, I write in their Telegram channel, Suggest Lapsus $ He managed to get through for a few months.
This is our third attempt at sharing the photo from five to eight. $LAPSUS displayed so much sensitive information and/or user information, that we end up losing censorship on some of them.
Pictures 5-8 are attached below. pic.twitter.com/KGlI3TlCqT
– vx-underground (vxunderground) March 22 2022
$Lapsus is a hacking group that has claimed responsibility for a number of notable incidents that affected nvidiaAnd the SamsungAnd the MicrosoftAnd the UbisoftIn some cases, they steal hundreds of gigabytes of confidential data.
Okta says it ended Okta’s support engineer sessions and suspended the account back in January, but claims that it only received the final report from its forensic firm this week.
Update, 2:38 p.m. ET: Okta’s statement and allegations added that the breach was very limited, with no corrective actions to be taken.
Update, 2:58 p.m. ET: The Lapsus $hacker group added that it had access to a thin client instead of a laptop, and that it found Okta storing AWS keys in Slack channels.
“Beer buff. Devoted pop culture scholar. Coffee ninja. Evil zombie fan. Organizer.”