Okta: Lapsus$ Breach Lasted only 25 minutes, hit 2 Customers
Identity and access management firm Okta says an investigation into the January Lapsus$ breach concluded the incident’s impact was significantly smaller than expected.
Based on the final forensic report, Okta’s Chief Security Officer David Bradbury said the attacker only accessed the two active customer tenants after gaining control of a single workstation used by an engineer working for Sitel, the third-party customer support services provider at the center of the incident.
This unexpectedly limited impact stems from the narrow window of time of only 25 consecutive minutes the threat actor had control over the compromised workstation on January 21, 2022.
“During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” Bradbury explained on Tuesday.
“The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support ‘impersonation’ events.”
Okta’s CSO added that the company would ensure that its services providers comply with new security requirements, including adopting Zero Trust security architecture and authenticating via Okta’s IDAM solution for all workplace apps
Okta also terminated its relationship with Sitel and is now directly managing all third-party devices with access to its customer support tools.
Breached via “legacy” infrastructure
Okta admitted last month it made a mistake delaying the disclosure of a January breach from the Lapsus$ data extortion group, an error caused by the company not being aware of the extent of the incident and its impact on customers.
As reported by BleepingComputer, Okta began investigating claims of a hack after Lapsus$ shared screenshots in a Telegram channel implying they had breached Okta’s customer networks.
Initially, Okta said that a Lapsus$ hacker obtained Remote Desktop (RDP) access to a Sitel support engineer’s laptop over “a five-day window” between January 16 and January 21.
Sitel later blamed the breach on “legacy” infrastructure at newly acquired Sykes, which contributed to the incident and allowed the attackers to access the engineer’s system
The day after it was disclosed, Okta’s CEO Todd McKinnon labeled the brach as an “attempt” to compromise the account of a single support engineer. However, Okta later said that 366 of its customers were impacted by the incident.
“While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta,” Bradbury concluded today.
“We recognize how critical Okta is to so many organizations and the individuals who rely on them, and are more determined than ever to deliver for them.”
Okta is a publicly-traded company worth over $6 billion and employing over 5,000 people worldwide that provides identity management and authentication services to over 15,000 organizations around the globe.