Okta provides secure login and authentication to thousands of companies worldwide. In a statement, Okta has confirmed some customers’ have “potentially been impacted”.

“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5 per cent – have potentially been impacted and whose data may have been viewed or acted upon,” says chief security officer David Bradbury.

“We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.”

Okta claims more than 14,000 customers on its website, a figure that equates to more than 350 customers. It also claims to be scaling Okta to more than 50 billion users.

Mr Bradbury says the Okta service is fully operational, and there are no corrective actions its customers need to take.

It is claimed Lapsus$ published a message in its official Telegram group, saying the group had breached the company but “didn’t steal/access any Okta database”. The target of the attack, according to the group, isn’t Okta but its customers.

In an earlier statement Mr Bradbury says the origin of the breach was an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider in January 2022.

“As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

“Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.”

Mr Bradbury says the potential impact to Okta customers is limited to the access that support engineers have.

“These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”

Jonathan Knudsen, senior software strategist, Synopsys Software Integrity Group, says that based on the scope and frequency of attacks, Lapus$ appears to be a well-resourced organisation, likely backed by organised crime or a nation-state.

“Lapus$ has been busy lately, but its activities should not be surprising. The software attack surface for most organisations is large and porous, yielding an asymmetry of bountiful rewards for relatively low effort.”

Lotem Finkelsteen, head of threat intelligence and research at Check Point Software, says Lapsus$ is a South American threat actor that has recently been linked to cyber attacks on some high-profile targets.

“ The cyber gang is known for extortion, threatening the release of sensitive information, if demands by its victims are not made. The group has boasted breaking into Nvidia, Samsung, Ubisoft and others,” Mr Finkelsteen says.

“Thousands of companies use Okta to secure and manage their identities. This means in practice that Okta manages vast amounts of users globally. Compromises of this magnitude can have a severe impact globally and create a chain reaction in enterprises in which the identities of their employees and contractors are potentially compromised.”

He says through private keys retrieved within Okta, the cyber gang may have access to corporate networks and applications. “Hence, a breach at Okta could lead to potentially devastating consequences which are still to be seen or exposed at this point. How the group managed to breach these targets has never fully been clear to the public. If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent string of successes.”

Mr Bradbury in his statement says Okta deeply apologises for any inconvenience and uncertainty the event has caused. He says there is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

More related stories

Retail

Why that Valentine’s Day gift might head back to the shop

Australians returned more than $11m in gifts, or 88,600 items, in the fortnight after Christmas and it could be down to people cashing in what they can to make ends meet, a data collector says.

Read more

Technology

CEO still MIA as Richard White is back with a vengeance

WiseTech says it is progressing with its search for a new chief, as Richard White wastes no time settling into his new $1m a year consulting role at the company he took some brief leave from.

Read more