UPDATE--Okta said late Tuesday that approximately 2.5 percent of its global customer base was affected by the intrusion at a subcontractor that occurred in January. Earlier in the day, the company said the impact on customers from the incident was "limited".
Okta is a provider of authentication and single sign-on services for thousands of enterprises and government agencies around the world, and said it is continuing to investigate the compromise of a powerful account of an engineer at a third-party services company. Okta said 366 customers were potentially affected.
"After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email," Okta CSO David Bradbury said in an updated statement Tuesday.
Hacking group Lapsus$ on Monday night posted a number of screenshots that appear to show access to tools and apps that Okta uses internally, including Jira, AWS, Confluence, Splunk, and Slack. One of the screenshots shows a date of Jan. 21, 2022, and the group said in its Telegram channel that it has had access to Okta since January. In a statement Tuesday afternoon, Okta officials said an attacker had access to a support engineer's laptop from Jan. 16 to Jan. 21, but that the Okta service itself was not compromised.
"In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm," an earlier statement from Bradbury says.
Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.
The screenshots Lapsus$ posted appear to point to a compromise of one privileged account that had access to internal Okta tools through a third party. The access appears to have come via RDP to a machine that was authenticated to Okta’s network. It does not appear to be a compromise of Okta’s software itself. Third parties such as suppliers, outsourcing firms, and others are frequent targets for attackers looking for a path into a target network. In one of the screenshots, a tabe showing the name SYKES appears. SYKES, a subsidiary of Sitel, is a large, global provider of outsourced customer service and support services. In a statement, SYKES officials said they became aware of a breach in January, but did not say that it was directly related to Okta.
"Following a security breach in January 2022 impacting parts of the Sykes network, we took swift action to contain the incident and to protect any potentially impacted clients. Further to the actions taken by our global security and technology teams, a worldwide cybersecurity leader was enlisted to conduct an immediate and comprehensive investigation of the matter. Following completion of the initial investigation, working in partnership with the worldwide cybersecurity leader, we continue to investigate and assess potential security risks to both our infrastructure and to the brands we support around the globe. As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk," the statement says.
In the updated timeline and post mortem, Okta's Bradbury said he believes the company should have moved more quickly after the initial report of the breach.
"I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications," he said.
In an earlier statement, Bradbury said the company was aware of an incident at a third-party customer support provider in January, but that the incident had been investigated and contained.
“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our sub-processors. The matter was investigated and contained by the sub-processor,” the statement says.
“We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
Okta provides SSO and authentication services to thousands of companies across a wide range of industries, including Cloudflare, Hewlett Packard, the Federal Communications Commission, Pitney Bowes, Peloton, and Sonos. In on of the screenshots poasted by Lapsus$, there is a dialog box with a Cloudflare employee's email address, and it shows the attacker trying to perform a password reset for the employee. Cloudflare CEO Matthew Prince said on Twitter Tuesday that the company was rotating credentials for any internal Okta users who had changed their passwords recently.
“We are resetting the @Okta credentials of any employees who’ve changed their passwords in the last 4 months, out of abundance of caution. We’ve confirmed no compromise. Okta is one layer of security. Given they may have an issue we’re evaluating alternatives for that layer,” Prince said.
The Lapsus$ group said that it did not target internal Okta data but instead was solely interested in access to Okta’s customers. Lapsus$ is a relatively new group that focuses on data theft and extortion, threatening to publicly release stolen information if victim companies don’t pay the asking price. The group has claimed responsibility for intrusions at NVIDIA, Samsung, and most recently, Microsoft. Lapsus$ has posted recruiting messages in its Telegram channel, looking for people inside various companies and support organizations willing to provide VPN and remote access in return for payment.
Cloudflare published a detailed account and timeline of the company's investigation into the Okta incident, and said that its internal teams had found no evidence in security logs that an attacker was able to perform a password reset for the Cloudflare employee whose email address was shown in one of the Lapsus$ screenshots.
"In the case of the Okta compromise, it would not suffice to just change a user's password. The attacker would also need to change the hardware (FIDO) token configured for the same user. As a result it would be easy to spot compromised accounts based on the associated hardware keys," the Cloudflare post mortem says.
Okta did not respond to a request for further comment beyond the public statement.
This story was updated on March 22 to add the statement from SYKES and again on March 23 to add the newest information from Okta.