Okta confirms investigation into potential data breach from Lapsus$ group
CEO McKinnon says screenshots released online are likely related to an incident that took place in January, but investigations are ongoing
Okta, a prominent provider of authentication services, says it is investigating a report of a data breach after the Lapsus$ data extortion group claimed access to its systems.
An Okta spokesperson told Reuters that the company was aware of the reports and was currently investigating such claims.
"We will provide updates as more information becomes available," the spokesperson added.
Today, Okta CEO Todd McKinnon also acknowledged on Twitter that the company, in late January, discovered an attempt to hack the account of a third-party customer support engineer working for one of Okta's subprocessors.
"The matter was investigated and contained by the subprocessor," he said.
McKinnon said he believed the screenshots that have been released online are related to the incident that took place in January, adding that the company has found no evidence so far of ongoing malicious behaviour beyond the activity that discovered in January.
Earlier today, the Lapsus$ group posted screenshots in their Telegram channel of what it claimed was Okta's client data.
"For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor," the group said.
Lapsus$ claimed that it gained "superuser/admin" access to Okta website and several other systems.
The gang went on to say that its focus was "ONLY on Okta customers" and that it had not exfiltrated any databases.
A data breach at Okta would have major ramifications, considering that hundreds of other organisations depend on Okta to manage access to their own networks and apps.
Okta claims to be the world's leading identification platform, claiming on its website that it has been consistently acknowledged as a leader by major analyst firms. It employs around 5,000 people globally and offers software services to leading firms including Siemens, Starling Bank, and ITV.
Lapsus$ is a recently prolific threat group associated with attacks on Nvidia, Samsung, Vodafone, Mercado Libre and Ubisoft in recent months.
Earlier this month, the gang published a massive collection of files, about 190 GB in total, which it said belonged to Samsung Electronics, and on Sunday, the Lapsus$ gang shared on its Telegram channel a screenshot of what appeared to be data acquired from an official developer account for Azure, Microsoft's cloud computing business. The operatives claimed to have gained access to an Azure repository that contained the source code for Cortana as well as other Bing projects.
While other extortion gangs use ransomware to lock their victims' machines, Lapsus$ uses a different strategy. It targets the source code repositories of big companies, steals their proprietary data, and then demands millions of dollars in ransom to give that data back to the victims.
Commenting on the alleged data breach at Okta, Jake Moore, global cyber security advisor at cyber security firm ESET, said: "The Lapsus$ group is heavily turning up the heat on multiple organisations and to make matters worse, these images are being posted up to two months after the breach has occurred.
"The attackers have had plenty of time to learn their way around and have free rein on the whole network completely undetected. Okta's customers along with customers of companies who also rely on the technology must now be extra vigilant and cautious of any suspicious activity on their accounts, especially from unsolicited emails."
Oz Alashe, CEO of CybSafe and chair of the UK government's DCMS Industry Expert Advisory Group on cyber resilience commented: "The potential attack on Okta is a striking reminder of the supply chain's cyber risks. Cybercriminals will often identify the route of least resistance. An authentication tool such as Okta provides the opportunity to breach hundreds of large enterprises in one sweep."
But Alashe added: "While Okta's investigation is ongoing, it's important the security community doesn't jump to conclusions and harass its security team at this challenging time."