Okta Confirms 2.5% of Customers Impacted by Lapsus Breach

Okta has admitted that hundreds of customers may have been impacted by a prolific hacking group’s attack via a third-party provider.

The authentication firm’s chief security officer, David Bradbury, said 2.5% of its estimated 15,000+ customers were potentially affected by the breach and that their data “may have been viewed or acted upon.”

Ransom group Lapsus shared screenshots over the weekend , which purportedly showed “superuser” access to an internal Okta desktop on January 21 this year.

Bradbury confirmed yesterday that attackers did indeed have access to a third-party support engineer’s laptop for a five-day window between January 16-21.

However, despite admitting customer data may have been viewed or acted upon, the CSO downplayed the impact.

“These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots,” he argued.

“Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”

Lapsus has since challenged these statements and argued that password/MFA resets would be enough to compromise many customers.

In related news, another recent purported Lapsus victim, Microsoft, admitted yesterday that it had indeed been breached by the group.

However, it refused to clarify whether the claimed Lapsus leak of 37GB of source code was genuine.

“This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access,” it said in a blog post.

“Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

Microsoft’s assessment of the threat group did not include mention of its potential compromise of Okta as a vector for recent big-name breaches at companies including Vodafone, Samsung and Nvidia.

However, it did claim to have found cases where Lapsus managed to access victim networks by paying insiders at the company or its suppliers/partners.

Leave a Reply