Okta, an authentication company used by thousands of organizations around the world, has now confirmed that an attacker had access to one of its employees’ laptops for five days in January 2022, but claims that his service “has not been hacked and remains fully operational”.
The disclosure comes as hacking group Lapsus$ posted screenshots on its Telegram channel claiming to be internal Okta systems, including one that appears to show Okta’s Slack channels and another with a Cloudflare interface.
Any hacking of Okta could have major ramifications for businesses, universities, and government agencies that rely on Okta to authenticate user access to internal systems.
But in a statement on Tuesday afternoon, Okta now says an attacker would have had only limited access during that five-day period – limited enough that the company says “there is no corrective action to be taken by our customers”.
Here’s what Okta’s director of security, David Bradbury, says about who is and isn’t at stake when one of his support engineers is compromised:
The potential impact to Okta customers is limited to the access available to support engineers. These engineers are unable to create or delete users, or download customer databases. Support engineers have access to limited data – for example, Jira issues and user lists – that have been seen in screenshots. Support engineers can also help reset passwords and MFA factors for users, but cannot obtain those passwords.
Writing in its Telegram channel, hacking group Lapsus$ claims to have had “superuser/administrator” access to Okta’s systems for two months, not just five days, that it had access to a thin client rather than a laptop, and claims he found Okta storing AWS keys in Slack channels. The group also suggested that it used its access to focus on Okta customers. The Wall Street Journal notes that in a recent filing, Okta said it has over 15,000 customers worldwide. It lists the likes of Peloton, Sonos, T-Mobile and the FCC as customers on its website.
In an earlier statement sent to The edge, Okta spokesman Chris Hollis said the company found no evidence of an ongoing attack. “In late January 2022, Okta detected an attempted compromise of the account of a third-party customer support engineer working for one of our contractors. The matter was investigated and brought under control by The contractor said Hollis, “We believe the screenshots shared online are related to this January event.”
“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Hollis continued. But again, writing in their Telegram channel, Suggested Slip$ that he had access for a few months.
This is our 3rd attempt to share the 5th to 8th photo. LAPSUS$ displayed a lot of sensitive information and/or user information, so much so that we end up running out of it to censor some of it.
Photos 5 – 8 attached below. pic.twitter.com/KGlI3TlCqT
— vx-underground (@vxunderground) March 22, 2022
Lapsus$ is a hacking group that has claimed responsibility for a number of high-profile incidents affecting Nvidia, Samsung, Microsoftand Ubisoft, in some cases stealing hundreds of gigabytes of confidential data.
Okta says it terminated its support engineer’s Okta sessions and suspended the account in January, but says it only received the final report from its forensics firm this week.
Update, 2:38 p.m. ET: Added Okta’s statement and claims that the hack was very limited, with no remedial action to be taken.
Update, 2:58 p.m. ET: Added claim from hacker group Lapsus$ that they had access to a thin client rather than a laptop, which they found Okta storing AWS keys in Slack channels.