Okta says attacker accessed engineer’s laptop for five days

Did you miss a session at the Data Summit? Watch On-Demand Here.

Okta chief security officer David Bradbury said in a post Tuesday that “the Okta service has not been breached and remains fully operational.”

“There are no corrective actions that need to be taken by our customers,” Bradbury said.

However, an attacker did access the account of a customer support engineer, who worked for a third-party provider, for five days in January, according to Bradbury. The third-party provider was not identified.

“There was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday,” Bradbury said.

Bradbury referred to screenshots posted on Telegram by hacker group Lapsus$, showing what the group said was “access to Okta.com Superuser/Admin and various other systems.”

The potential breach of a customer of the major identity and access management vendor raised questions about the extent and severity of the potential breach.

‘Limited’ impact

In the post Tuesday, Bradbury said that the “potential impact to Okta customers is limited to the access that support engineers have.”

These engineers “are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots,” he said. “Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.”

Okta is “actively continuing our investigation, including identifying and contacting those customers that may have been impacted,” Bradbury said.

From the post:

In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. 

Okta’s stock price was down $5.49, or about 3.2%, as of mid-afternoon ET on Tuesday. An analyst at Truist, Joel Fishbein, reportedly called the claimed breach “concerning” amid cutting his rating on Okta.

Lapsus$ specified that it did not access Okta itself. “Our focus was ONLY on okta customers,” the group said in its Telegram post.

Lapsus$ is believed to operate in South America. Over the past month, vendors including Nvidia and Samsung Electronics confirmed the theft of data by the threat actor. On March 1, for instance, Nvidia said that “we are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online.”

Stolen Nvidia data reportedly included designs of graphics cards and source code for DLSS, an AI rendering system. Meanwhile, on Monday, Lapsus$ claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana. Microsoft said it is aware of the claims and is investigating them.

Experts have said that Lapsus$’ motives remain unclear, given the lack of financial demands in the past.

Originally appeared on: TheSpuzz