Okta says Lapsus$ breach hit just two customers

Now that the final forensic report on the January breach is done, the cloud identity management firm says the actual impact "was significantly less than the maximum potential impact Okta initially shared" in March.
Written by Stephanie Condon, Senior Writer

Following the conclusion of its investigation into a January security breach, Okta on Wednesday said the incident was "significantly smaller" in scope than previously thought. The breach, in which hackers were able to access the laptop of a third-party customer support engineer, lasted just 25 minutes and impacted just two active customer tenants. 

The incident occurred on January 21, when the Lapsus$ hacking group had remote access to a laptop of a Sitel customer support engineer. The breach came to light on March 22, when the hacking group published screenshots of Okta's systems.

Based on the final forensic report of an unnamed "globally recognized cybersecurity firm," the group had control of a single workstation used by a Sitel support engineer with access to Okta resources. During the 25 minutes when they had control of the workstation, the threat actor accessed two active customer tenants within the SuperUser application. They also viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.

Okta said the threat actor was unable to perform any configuration changes successfully, MFA or password resets, or customer support "impersonation" events. They were also unable to authenticate directly to any Okta accounts.

"While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta," Okta Chief Security Officer David Bradbury wrote in Wednesday's blog post. 

After the screenshots appeared on March 22, Okta disclosed that as many as 366 customers were affected. Of course, there were questions as to why customers did not know about the incident sooner. About a week later, the company explained that it didn't inform customers earlier because it "did not know the extent of the Sitel issue... We didn't recognize that there was a risk to Okta and our customers."

Now that its investigation is over, Okta has given customers access to the final forensic report, as well as Okta's "Security Action Plan." 

The company said Wednesday that it's taking various steps to improve its audit procedures and security assurances for sub-processors. For instance, it will require that sub-processors who provide Support Services on Okta's behalf adopt "Zero Trust" security architectures. Okta has also terminated its relationship with Sykes/Sitel.

Additionally, Okta will now directly manage all devices of third parties that access its customer support tools.

Editorial standards