An authentication company –Okta confirms it has been hit by hackers. The authentication service used by thousands of organizations around the world to access their networks and applications discloses that a hacker had access to one of its employees’ laptops for five days in January 2022. Although details and scope of reach remain unclear as one part claims one thing while the other claims another, however, a fraction of Okta customers may be affected as a result of this hack.
According to The Verge, the disclosure comes as hacking group Lapsus$ has posted screenshots to its Telegram channel claiming to be of Okta’s internal systems, including one that appears to show Okta’s Slack channels, and another with a Cloudflare interface. However, the San Francisco-based company claims that screenshots are most likely related to an earlier security incident that occurred in January, which has already been resolved.
Lapsus$ is a hacking group that has been responsible for a number of high-profile hack incidents that has affected top tech companies like Nvidia, Samsung, Microsoft, and Ubisoft. In some cases, the hacking group have stolen hundreds of gigabytes of confidential data from their operations. Meanwhile, Cloudflare, one of Okta’s customers whose information was included in the screenshot, internet infrastructure and security company made a statement. In a tweet, Cloudflare CEO Matthew Prince said the company was aware of the breach claim, but he said there was no evidence that its systems were compromised.
A statement by Okta’s chief security officer David Bradbury says that “We have concluded that a small percentage of customers – approximately 2.5 per cent – have potentially been impacted and whose data may have been viewed or acted upon.” Bradbury further disclosed in his statement on Tuesday evening that “We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.”
In an earlier statement, the company mentioned that due to the five day period, the attacker have had limited access. The company claims the access was limited enough that “there are no corrective actions that need to be taken by our customers.”
Bradbury says though one of its support engineers’ access was compromised but claims the access is limited but here is what is and isn’t at stake. “The potential impact to Okta customers is limited to the access that support engineers have,” Okta terminated its support engineer’s Okta sessions and suspended the account. Bradbury continues with, “These engineers are unable to create or delete users or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.”
Meanwhile, Lapsus$ hacking group through its Telegram Channel claims “Superuser/Admin” access to Okta’s systems was had for about two months, not just five days as claimed by Okta. The group also claimed that it had access to a thin client rather than a laptop, and it found Okta storing AWS keys in Slack channels. The hacking group says through the use of these keys it had access to zero in on Okta’s customers.
According to reports by The Wall Street Journal, more than 15,000 customers globally—including multinational companies, universities and governments—rely on Okta’s software to securely manage access to their systems and verify users’ identities, according to a recent filing.
A statement sent by Okta’s representative Chris Hollis said the company has not found evidence of an ongoing attack. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”