Security news that informs and inspires

Okta Ends Investigation Into Lapsus$ Breach

A month after initially disclosing a breach at one of its third-party contractors that led to attackers from the Lapsus$ group accessing some customer information, Okta officials said they have finished their investigation into the intrusion, and have cut ties with the contractor, Sitel, and are making changes to the way that the company works with outside service providers.

The initial intrusion by Lapsus$ occurred in January and during the original disclosure of the incident, Okta officials estimated that about 2.5 percent of the company’s customers were affected. But this week, Okta CSO David Bradbury said the attackers were only able to access two Okta customer tenants during the 25-minute window of time in which they had access to a Sitel workstation.

“During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” Bradbury said in a post.

“The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support ‘impersonation’ events. The threat actor was unable to authenticate directly to any Okta accounts.”

Bradbury said that Okta has ended its relationship with Sitel, a large international provider of managed support services, as a result of the intrusion and subsequent investigation. Also, Okta is changing some of the requirements for outside companies who perform support and other services on the company’s behalf in order to strengthen security.

“Okta will now directly manage all devices of third parties that access our customer support tools, providing the necessary visibility to effectively respond to security incidents without relying on a third party. This will enable us to significantly reduce response times and report to customers with greater certainty on actual impact, rather than potential impact,” Bradbury said.

“We are making further modifications to our customer support tool to restrictively limit what information a technical support engineer can view. These changes also provide greater transparency about when this tool is used in customer admin consoles (via System Log).”

Okta shared logs and the final forensic report with affected customers and Bradbury said the company also has shared its new Security Action Plan with those customers.

The intrusion by Lapsus$ at Sitel happened in January but didn’t come to light until late March, when the group began posting screenshots of internal Okta system resources. Okta officials initially downplayed the incident, but soon acknowledged that there had been an intrusion.

"In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm," an earlier statement from Bradbury says.