Okta investigating reports of data breach by Lapsus$ ransomware cybercriminal group (updated)

Identity and authentication services firm Okta is investigating reports that the firm has been breached by the Lapsus$ ransomware cybercriminal group.

Update on March 23, 2022: Okta released an updated statement on LAPSUS$ claims.

David Bradbury, Chief Security Officer at Okta, released an official statement on March 22:

The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers. In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.”

Okta added the “potential impact to Okta customers is limited to the access that support engineers have” (such as Jira tickets, lists of users, resetting passwords or Multi Factor Authentication for users).

Earlier on Tuesday, Okta issued a statement that the firm was investigating a digital breach after hackers posted screenshots online purportedly of internal Okta systems.

According to a CNBC report, Okta said they “detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors” back in January, 2022. However, Okta added they have “found no evidence of new attack” and “no evidence of ongoing malicious activity.”

The Lapsus$ gang posted screenshots to its Telegram channel and some pictures were shared via a tweet Monday night:

Given Okta is used by more than 15,000 organizations worldwide for services such as single sign-on (SSO) and related identity/authentication services, the impact could be devastating.

Security and technology firms such as Check Point, Cloudflare and others also sent out messages acknowledging the breach and offered customer guidance to help minimize the threat. Examples include recommendations to review auditing and log-in activities of any product that uses Okta, as well as leverage solutions that can detect compromised identities and suspicious identity behavior.

Cloudflare CEO Matthew Prince also sent out a tweet stating there is “no evidence that Cloudflare has been compromised”:

To add, the Okta incident follows after the Lapsus$ group also bragged about allegedly stealing Bing and Cortana code from Microsoft over the weekend. According to a report from The Register, the software giant said they are “aware of the claims and are investigating.”

This story is developing and we will update this post with more details as it emerges.

Related Articles