A hacking group that previously took responsibility for attacks on Nvidia and Microsoft claimed Monday that it had compromised Okta, which provides “single sign-on” identity services to thousands of Companies. Okta confirmed Tuesday there was an incident in January where hackers used a customer support worker employed by a third-party company to gain some access to Okta’s systems.
Why it Matters
Okta is little known outside of the industry, but it provides a layer of login security for millions of users at a wide array of firms and organizations that adopt its login system. Depending on the severity of the incident, which is hard to gauge, for now, the damage could be widespread.
Note: As Wired reports, security experts are already drawing comparisons to the SolarWinds incident of late 2020, in which Russian-backed hackers gained access to a wide range of companies and government agencies.
Who Did This
The group known as Lapsus$ posted screenshots on Monday night that were dated from January showing it had access to the support account. Okta Chief Security Officer David Bradbury published a blog post on Tuesday, noting that a forensics report on the January incident concluded: “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.” Bradbury’s post read. It is not certain yet what information Lapsus$ might have taken during those five days, and what the group might have done with it since.
“The kind of support account that was compromised is unable to create or delete users, or download customer databases. Support engineers can facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.” Bradbury wrote. The screenshots Lapsus$ posted also included mention of web infrastructure and security firm Cloudflare, which uses Okta internally. Cloudflare CEO Matthew Prince tweeted… “There is no evidence that Cloudflare has been compromised… We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of an abundance of caution.”
In past incidents, Lapsus$ has tried to extort corporations by threatening to post stolen source code and other kinds of business information from chip design giant Nvidia and threatened to publish more if the company didn’t send it large sums of crypto. The group has also posted some of the code that runs Microsoft’s Bing search engine and Cortana personal assistant, in a dump of about 37GB of data. On Tuesday, Microsoft confirmed that the group had gained access to the code after a single account had been compromised, granting limited access. “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.” the company’s security report stated.