Okta concludes investigation into alleged LAPSUS$ security breach

Okta company logo appearing on a smartphone which is placed upon a Windows laptop's keyboard
(Image credit: Getty Images)

21/04/2022: Okta concludes investigation into LAPSUS$ breach

Okta has announced the conclusion of its investigation into a breach of its systems by the LAPSUS$ hacking group, saying the scope of the attack is far smaller than originally predicted.


How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed


Okta and the outside digital forensics company it hired to support the investigation, believed to be Mandiant, concluded hackers were able to control just a single computer belonging to a Sitel support engineer for 25 minutes on 21 January 2022.

This computer had access to Okta's resources but the hacker was only able to access a total of two customer tenants during that 25-minute window, many fewer victims than the hundreds it originally believed to have been affected. Okta said both of these customers have been notified privately.

The hackers were unable to perform any configuration changes, reset any multi-factor authentication (MFA) passwords, or impersonate customer support with Okta customers, it said.

The identity and access management company admitted that although the impact is much less severe than originally thought, it understands "the broad toll" such a breach could have on its customers.

Going forwards, Okta said it is strengthening its audit procedures for sub-processors, will directly manage all devices of third parties that access Okta customer support tools, and review its customer communication process to ensure a similar event is prevented in future.

"Okta’s customers are our pride, purpose, and #1 priority. It pains us that, while Okta’s technology excelled during the incident, our efforts to communicate about events at Sitel fell short of our own and our customers’ expectations," said David Bradbury, chief security officer at Okta.

"Okta’s leadership team has met with thousands of customers over the past few weeks to talk through our response directly. We conclude this investigation with a far stronger partnership and a sense of a shared journey with our customers. We recognise how critical Okta is to so many organisations and the individuals who rely on them, and are more determined than ever to deliver for them."

22/03/2022: Okta confirms investigation into alleged LAPSUS$ security breach

Cloud identity and access management provider Okta has confirmed that it's investigating a potential breach after the LAPSUS$ hacking group posted screenshots of what appears to be the back-end of Okta’s systems.

Announcing the breach in the early hours of Tuesday morning, LAPSUS$ said on its Telegram channel that it did not steal or access any Okta databases and its focus was solely on Okta’s customers.

Okta's CEO Todd McKinnon confirmed that the company started an investigation after it detected an attempt to compromise the account of a third party customer support engineer working for one of [its] subprocessors”.

“The matter was investigated and contained by the subprocessor,” McKinnon said. “We believe the screenshots shared online are connected to this January event,” he added. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

IT Pro pressed Okta for further details but it did not provide any new information in the statement it shared.

The date and timestamps seen in the screenshots provided by LAPSUS$ indicated the hackers were inside Okta’s environment on 21 January 2022, aligning with the mention of “late January 2022” by McKinnon, which means Okta was aware of a serious breach attempt and failed to notify customers for two months.

LAPSUS$ said it was able to achieve superuser/admin access to the Okta “and various other systems”.

“For a service that powers authentication systems to many of the largest corporations, and FEDRAMP-approved, I think these security measures are pretty poor,” said the group.

LAPSUS$ showing user account control privileges, sensitive information redacted

LAPSUS$ showing user account control privileges, sensitive information redacted (Image credit: IT Pro)

One of the images posted by LAPSUS$ appeared to show the hackers were able to reset user passwords for employee passwords. The account shown in the image belonged to a Cloudflare employee, a finding which indicates that hackers may have gained access to the Cloudflare tenant, according to independent security researcher Bill Demirkapi.

Cloudflare co-founder and CEO Matthew Prince was quick to downplay the impact on his company, assuring customers that although Okta provided identity services to Cloudflare, it was not a sole provider of such services and there has not been a breach.

“We are aware that Okta may have been compromised,” he said. “There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.

Okta is named by Gartner as a Leader in its Magic Quadrant for access management and has been for five years running. The company claims to be the world’s number one identity platform and provides services for more than 15,000 customers worldwide.

Okta offers services to businesses including single sign-on (SSO), user authentication, and multi-factor authentication (MFA) - implementations that are routinely recommended to businesses for upholding strong security.

Screenshot of the Okta backend with access to multiple applications

Screenshot of the Okta backend with access to multiple applications (Image credit: IT Pro)

Online experts and observers have raised questions over what LAPSUS$ could have achieved with the level of access they had to Okta’s SSO product.

Offensive security experts speculated that if they had the level of access that allowed them to modify user accounts at Cloudflare, they would feasibly be able to do the same with Okta’s other customers.


Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide


They said it could also be how LAPSUS$ has been able to access so many companies’ source code in recent weeks, and that they only ‘burned’ their Okta breach due to losing access to the platform.

In recent weeks, LAPSUS$ has leaked source code from large technology companies such as Nvidia and Samsung. The group has also claimed to have obtained files from Vodafone, Impresa, and Mercado Libre.

Hours earlier on Tuesday morning, LAPSUS$ also leaked a torrent file allegedly containing source code from Microsoft after the group first announced that it had successfully breached the tech giant on Sunday.

LAPSUS$ claimed that the leak contains source code for Bing, Bing Maps, and Cortana. A Microsoft spokesperson told IT Pro on Monday that “we are aware of the claims and are investigating”.

"The potential attack on Okta is a striking reminder of the supply chain's cyber risks," said Oz Alashe, CEO at CybSafe and chair of the DCMS' Industry Expert Advisory Group on cyber resilience to IT Pro. "Cyber criminals will often identify the route of least resistance. An authentication tool such as Okta provides the opportunity to breach hundreds of large enterprises in one sweep. ​​​​​​"

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.