Depending upon who you believe, authentication services provider Okta (with some 15,000 clients globally including Fortune 500 companies) may or may not have suffered a major security breach.
To hear Okta tell the story, there was a limited security breach in January involving third-party customer support staff that had little access to its internal network beyond the ability to reset user passwords. The hackers have something different to say, and have brought screenshots with them as evidence: they claim to have had access to Okta’s network for two months and to be in possession of customer data and AWS keys.
Possible hack of authentication services provider could have compromised hundreds of organizations
The security breach is being claimed by the hacking group LAPSUS$, which has been making significant noise for several months now with documented attacks on a number of major companies. The group has stolen source code from Microsoft and Samsung among others, along with hundreds of gigabytes of sensitive data belonging to Nvidia and to Portugal’s largest media company. The group is thought to be based in Brazil, a somewhat unusual location for a major cyber crime operation of this type.
Providing authentication services to tens of thousands of companies and government agencies, Okta is a supply chain vendor that could cause a cascade of security breaches if compromised. Okta claims that it mitigated the damage before it got to that point, but the alleged evidence provided by the hackers on social media tells a different story and raises questions about the official line.
LAPSUS$ says that it had administrative access for an extended period, contradicting Okta’s claim that the security breach only involved one customer service engineer’s account. Okta says that its investigation has detected no “ongoing malicious activity.” LAPSUS$ indicated that it has access to Okta clients and plans to focus on them in the immediate future.
Extent of security breach remains unclear
So who is to be believed? Some of the Okta customers visible in the hacker’s screenshots have already weighed in. Cloudflare said that it had conducted an internal investigation and found no evidence of a security breach, as did shipping giant FedEx. And if the hackers did indeed have the level of access they claim, an unusual amount of time has gone by without them making a move.
Okta said that the January attack resulted in some form of potential compromise to about 300-400 of its customers, but that those impacted customers had already been contacted by email. The company said that its authentication services were not compromised in any way and that other customers did not need to take any further action at this time.
Major clients of Okta include real estate insurer Fidelity National Financial, financial analysis firm Moody’s, T-Mobile and Hewlett-Packard. If the hackers are to be believed, these companies could be targets in the near future. In the meantime, there is an ongoing investigation into LAPSUS$ involving international law enforcement agencies.