Okta, a leading access management system provider, announced that 2.5% = approximately 375 businesses were affected by a cyber attack claimed by the cybercrime group Lapsus$.
The company announced its conclusion that there were no corrective actions to be taken by the customer.
Okta has confirmed that in January a hacker broke into the laptop of one of its support engineers and caused a security incident that allowed him to initiate a password reset for a customer.
An investigation into the breach found that the attacker had access to the laptop for five days, during which time he had access to Okta’s customer support panel and the company’s Slack server.
The report highlights a five-day time period between January 16 and 21, 2022, during which attackers had access to the support engineer’s laptop.
The screenshot released by the Lapsus$ group shows an Okta employee’s email address, which appears to have “superuser” privileges that allow him to list users, reset passwords, reset MFAs, and access support tickets.
The company explained, however, that if such a breach were successful, it would be limited to the access rights of the support engineers and would not allow them to create or delete users or download customer databases.
Support engineers had access to the limited data seen in the screenshot, for example, the list of Jira tickets and users. Just the support engineer can facilitate the reset of user passwords and multi-factor authentication (MFA) elements, but cannot retrieve those passwords – Okta
In a subsequent update, Okta said that about 2.5% of its customers were affected by the Lapsus$ cyberattack.
Okta has more than 15,000 customers, meaning that approximately 375 organizations may have had their accounts compromised in some way.
We have identified and are contacting these customers directly; Okta customers who have been affected have already been contacted directly via email
Cloudflare’s Response to the Okta Breach
The Lapsus$ screenshot also shows the email address of a Cloudflare employee whose password is about to be reset by the hacker who compromised the Okta employee’s account.
Cloudflare, a web infrastructure and security company, said in a report that the company email account present in the Lapsus$ screenshot was notified by the company’s Security Incident Response Team (SIRT) of a possible problem approximately 90 minutes after it was first notified of the problem, 3 It was revealed that the system was shut down in the early morning hours of March 22 (03:30 UTC).
“A screenshot shared on social media shows a hacker posing as an Okta employee, along with a pop-up indicating that a password reset could be initiated,” said Cloudflare employee The email addresses of the employees were displayed.”- Cloudflare
Cloudflare noted that Okta’s service is used internally for employee IDs integrated into the authentication stack, and that customers have nothing to worry about “unless they use Okta themselves.”
To eliminate the possibility of unauthorized access to employee accounts, Cloudflare checked all password resets or changed MFAs after December 1, 2021. In total, 144 accounts were affected, and the company enforced password resets on all of them.
The company notified the provider of the issue and at the same time terminated the active sessions of the compromised users and suspended their accounts.
Lapsus$ Response
In response to Okta’s statement, the Lapsus$ Group claims that it compromised thin clients, not Okta employees’ laptops.
They dispute Okta’s assertion that the breach was unsuccessful, claiming that they “were able to log into the Super User Portal and reset the passwords and MFAs of 95% of the clients.
Comments