Okta updates advice to customers after confirming Lapsus$ breach

Okta updates advice to customers after confirming Lapsus$ breach

Image:
Okta updates advice to customers after confirming Lapsus$ breach

No ongoing risk, company says

Identity and access management firm Okta has updated advice to its customers and provided more details of the attack by the Lapsus$ cybercrime group, which was widely reported yesterday.

The cybercrime group posted screenshots on Telegram purporting to show Okta customers' data, which Okta later confirmed to be the case.

In January, the company logged an attempt to compromise the account of a customer support engineer working for third-party provider, Sitel. A subsequent analysis of the incident by a forensics firm found that there had been a period of five days, January 16 - 21, in which the attackers had access to the engineer's laptop.

Okta says its core systems were not breached during the attack and the access was confined to the laptop, refuting Lapsus$'s claims that it gained superuser access to the firm's website and other systems. The screenshots were consistent with the breach of the engineer's laptop in January, the company said, and there are no indications that it went further.

"The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers," it says in a post on its website.

"The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords."

Okta says in the worst case 366 companies, or 2.5 percent of its 15,000 customers, may "have potentially been impacted", with data possibly already been viewed by the attackers, but said there is no ongoing risk.

The company has contacted those customers by email, and has organised two live webinars today to discuss the technical details.