Did you miss a session at the Data Summit? Watch On-Demand Here.
Claims by a hacking group that it has breached customers of major identity and access management vendor Okta are being viewed as credible, raising questions about the extent and severity of the potential breach.
The threat actor claiming to be behind the breach, Lapsus$, has previously stolen and leaked data from Nvidia and Samsung. And this week, the group claimed to have posted Microsoft source code on its Telegram channel.
Just hours after posting the claimed Microsoft source code, Lapsus$ posted screenshots of what it said were “access to Okta.com Superuser/Admin and various other systems.”
Okta’s stock price was down $5.49, or about 3.2%, as of mid-afternoon ET on Tuesday. An analyst at Truist, Joel Fishbein, reportedly called the claimed breach “concerning” amid cutting his rating on Okta.
“The breach is potentially extremely serious,” said Brett Callow, a threat analyst at cybersecurity firm Emsisoft who has been following the activities of Lapsus$.
“Lapsus$ are basically saying they were less interested in Otka than they were in the company’s customers,” Callow said in a message to VentureBeat. “So it’s potentially a supply chain scenario in which one compromise results in many.”
Possible access to many tenants
Bojan Simic, cofounder and CEO of passwordless multifactor authentication vendor HYPR, noted that while the severity of this breach isn’t fully known yet, Okta manages the identities for about 15,000 companies in total.
This means that “certain individuals within Okta (and their subprocessors) have access to the data and infrastructure that contains the identities of most of their customers,” Simic said in an email to VentureBeat. “This access is given to support and manage the customers’ environment on a day to day basis.”
Thus, “if someone like the Lapsus group was to get access to these systems, they could potentially get access to hundreds of Okta tenants in a single shot instead of having to target individual Okta customers,” Simic said.
Okta did not respond to a request for comment from VentureBeat. In two tweets published Tuesday, Okta cofounder and CEO Todd McKinnon said that the company believes the “screenshots shared online” are connected to an attempted compromise of “a third-party customer support engineer working for one of our subprocessors” in January.
“The matter was investigated and contained by the subprocessor,” McKinnon said on Twitter. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
In a post Tuesday, Okta chief security officer David Bradbury said that “the Okta service has not been breached and remains fully operational.”
“There was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday,” Bradbury said. “The potential impact to Okta customers is limited to the access that support engineers have.”
These engineers “are unable to create or delete users, or download customer databases. Support engineers do have access to limited data — for example, Jira tickets and lists of users — that were seen in the screenshots,” he said. “Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.”
Lapsus$ specified that it did not access Okta itself. “Our focus was ONLY on Okta customers,” the group said in its Telegram post.
Security experts that spoke with Reuters said the breach appears to be real and credible.
Lapsus$ is believed to operate in South America. Over the past month, vendors including Nvidia and Samsung Electronics confirmed the theft of data by the threat actor. On March 1, for instance, Nvidia said that “we are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online.”
Stolen Nvidia data reportedly included designs of graphics cards and source code for DLSS, an AI rendering system. Meanwhile, on Monday, Lapsus$ claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana. Microsoft said it is aware of the claims and is investigating them.
“Given the lack of a denial from Microsoft and Lapsus$’ past victims, their claims are not entirely implausible,” Callow said in a previous message to VentureBeat.
Experts have said that Lapsus$’ motives remain unclear, given the lack of financial demands in the past.