Okta: Lapsus$ breach may impact hundreds of customers

Okta said Tuesday evening that roughly 2.5% of its customers were potentially impacted by the data breach by the Lapsus$ hacker group in January.

The identity and access management vendor did not specify how the customers may have been impacted. Okta has previously disclosed having more than 15,000 customers, and 2.5% of that figure would equal 375 customers.

“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon,” Okta chief security officer David Bradbury said in an update to the company’s post on the Lapsus$ breach.

Earlier on Tuesday, Bradbury had disclosed that Lapsus$ had accessed the account of a customer support engineer, who worked for a third-party provider, for five days in January, according to Bradbury.

Lapsus$ leak

The disclosure followed screenshots posted on Telegram by Lapsus$, showing what the threat actor said was “access to Okta.com Superuser/Admin and various other systems.”

In the updated post Tuesday evening, Bradbury reiterated that “the Okta service is fully operational, and there are no corrective actions our customers need to take.”

However, not all in the tech industry were reassured by Okta’s latest statement on the incident.

“I said last night this was very, very bad. Today I trusted Okta and thought it was okay,” said Dan Starner, an infrastructure software engineer at Salesforce’s Heroku division, in a tweet.

But after the latest disclosure, that more than 2.5% of customers were potentially impacted, “now I know it’s very, very bad and that I don’t trust Okta anymore,” Starner wrote on Twitter. “Security is hard and breaches happen, but lying by omission is worse than telling us our data may be compromised.”

VentureBeat has reached out to Okta for comment.

Impact unclear

While we now know that the number of impacted customers is likely in the hundreds rather than in the thousands, “how they’ve been impacted remains unclear,” said Emsisoft threat analyst Brett Callow in a tweet.

In the updated post, Bradbury said that Okta has identified impacted customers and has “already reached out directly by email.”

“We take our responsibility to protect and secure customers’ information very seriously,” he said. “We deeply apologize for the inconvenience and uncertainty this has caused.”

In the past, customers disclosed by Okta have included JetBlue, Nordstrom, Siemens, Slack, Takeda, Teach for America, Twilio, GrubHub, Bain & Company, Fidelity National Financial, Hewlett Packard Enterprise, T-Mobile, Sonos and Moody’s. In 2017, Okta said that the U.S. Department of Justice was a customer.

In the original post earlier in the day on Tuesday, Bradbury acknowledged that “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop.”

“This is consistent with the screenshots that we became aware of yesterday,” he said, referring to the screenshots posted by Lapsus$ on Telegram.

‘Failure to disclose’

Bradbury said that the “potential impact to Okta customers is limited to the access that support engineers have.”

These engineers “are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots,” he said. “Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.”

Security researcher Runa Sandvik said on Twitter on Tuesday that some may be “confused about Okta saying the ‘service has not been breached.’”

“The statement is purely a legal word soup,” Sandvik said. “Fact is that a third-party was breached; that breach affected Okta; failure to disclose it affected Okta’s customers.”

Series of attacks

Lapsus$ specified that it did not access Okta itself. “Our focus was ONLY on okta customers,” the group said in its Telegram post.

In a Telegram post Tuesday, responding to Okta’s statement on the breach, Lapsus$ contended that “the potential impact to Okta customers is NOT limited.”

“I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems,” the group said. Lapsus$ also claimed that Okta has been “storing AWS keys within Slack.”

Lapsus$ is believed to operate in South America. Over the past month, Microsoft, Nvidia and Samsung Electronics have confirmed the theft of data by the threat actor.

On Monday, Lapsus$ had claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana on Telegram.

In a blog post Tuesday, Microsoft said that Lapsus$ had gained “limited access” to Microsoft systems by compromising a single account. “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft researchers said.