Okta admits customers hit in data breach

Threat group shares superuser account screenshots

UPDATED March 23, 10:00 GMT with Okta admission of customer data access

Customers of authentication firm Okta were scrambling late Monday to take mitigating actions after what apppears to have been a breach of the company's internal IT environment some months ago.

The threat group Lapsus$ posted screenshots demonstrating an apparent Okta hack on their Telegram channel late on Monday. Users fear any compromise would have significant security consequences.

Recent customers include IBM spinoff Kyndryl, the world's largest IT infrastructure provider. Okta claims to have nearly 30% of the Global 2000 as customers using its tools for identity management.

Lapsus$ has successfully breached environments at NVIDIA and Samsung among others.

It claimed yesterday to have hit Microsoft too. Redmond has declined further comment.

(Microsoft has now, however, published a blog on Lapsus$'s TTPs known to date.)

See: CISA urges SATCOM users to use 'independent encryption'

Early Tuesday Okta CEO Todd McKinnon played down the breach, saying in a pair of Tweets: "In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.

"We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January".

In an updated post by Okta Chief Security Officer David Bradbury that had initially played down impact, he admitted: "After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon."

He made that admission just hours after saying that ""The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers."

https://twitter.com/QuinnyPig/status/1506120181839409159

Okta hack: Did Lapsus$ get a superuser account?

Judging by the screenshots it was at least a partially successful attempt. Many await a more detailed and forensic report on what happened. Troublingly, the screenshots appear to show access to a superuser account that had access to AWS, Okta Sales, Jira, Gmail, Crayon and Splunk among other applications.

Okta's 15,000+ customers include Bain & Company, Nasdaq, T-Mobile, and HPE.

CloudFlare CEO Matthew Prince was among the frustrated customers, saying (shortly before McKinnon's comments): "We are aware that @Okta may have been compromised. There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option. We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution."

"Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer."

Nick Jones, cloud security lead at F-Secure said: "For orgs using Okta, the details aren’t clear, so I’d be threat hunting for successful auths to services where there’s no matching okra session (a la golden SAML).

"I’d also be looking for cases where users’ MFA is being disabled, unusual/high risk login activity etc in my Okta logs. I’d also look to rotate all privileged Okta credentials ASAP, and if it turns out that the main Okta user data stores were compromised, force a password rotation on all user accounts."

Okta CSO David Bradbury said in his initial post late Tuesday: "In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm... we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop.

Other security firms meanwhile speculated that Lapsus$ dizzying run of recent successes may have been down to the Okta breach. As Check Point put it in a blog about the threat group: "It is still not clear how Lapsus$ breaches its victims, but based on its publications, there are two possible assumptions. 1: Breaches via supply chain – breaching service providers like OKTA in order to get access to its customers. 2: Recruiting insiders in big corporations..."

Follow The Stack and connect with the team on Linkedin