Okta says recent Lapsus$ hack only lasted 25 minutes

20 Apr 2022

Image: © Sundry Photography/Stock.adobe.com

Okta’s chief security officer said the result of the hack was ‘significantly less’ than the maximum potential impact the company shared last month.

Okta said its investigation into a January data breach shows hackers gained control of a workstation for 25 minutes, during which time they accessed two customer accounts.

The tech company began the investigation after hacker group Lapsus$ shared screenshots on 21 March suggesting the group gained access to Okta customer accounts in a breach. The company said it looked at a five-day window in January, with the maximum impact being 366 affected customers.

In a report shared yesterday (19 April), Okta chief security officer David Bradbury confirmed that a threat actor actively controlled a single workstation used by a Sitel support engineer on 21 January, which gave access to Okta resources.

Bradbury said two active customer tenants were accessed during this time within the SuperUser application. He added that the hacker was also able to view “limited additional information” in certain applications like Slack and Jira.

Okta has not named the two customers impacted but said they have been notified of the incident.

The access management software company has more than 15,000 customers, including DCC, Engie, ITV, Renault, Siemens, Plan International, Slack and Pret a Manger.

Based on the forensic report, Bradbury said the threat actor was unable to perform any configuration changes, password resets, or customer support impersonation events.

“While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognise the broad toll this kind of compromise can have on our customers and their trust in Okta,” Bradbury said.

In a report last month that listed a timeline of events related to the hack, Bradbury revealed that he was “greatly disappointed” by Okta’s delay in getting an investigative report after the incident.

In the most recent update, Bradbury said Okta has terminated its relationship with Sitel as a result of the hack and is taking measures to improve its third-party risk management.

Lapsus$ hacks

Lapsus$ is a relatively new hacker group but has made waves in recent months for claiming to be behind a string of high-profile hacks.

In February, chipmaker Nvidia suffered a cyberattack that was claimed by Lapsus$. The group said it had files on Nvidia GPU drivers, which could allow hackers to turn every Nvidia GPU into a bitcoin mining machine.

A week later, the group claimed that it leaked almost 190GB of data from Samsung. Last month, it sent a smirking face emoji to a news link related to a Ubisoft hack, which may have been the group taking responsibility for that cyberattack.

Its most recent hacking claims were related to Okta and Microsoft, with both companies confirming data breaches on 22 March.

Towards the end of March, authorities in the UK said they arrested several people in connection with the cybercriminal gang, with a teenage boy in Oxford suspected of being one of the masterminds of the group.

According to an in-depth report into the group by investigative journalist Brian Krebs, at least one member of Lapsus$ may also have been involved in the cyberattack on game maker EA last year, which saw hackers making off with source code for some games.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic