A hacking group that recently extorted Samsung, Nvidia and Microsoft after stealing and publishing their source code said Monday that it also accessed systems used by Okta, which deals with finance and is a major technology vendor for other industries.
Okta’s services vary large range of customers It claims, but its core business is related to identity management – knowing who is a customer and who manages who gets access to information and systems.
This incident is a cautionary tale about the security threats of working with third parties, reputational damage caused by leaks to hackers, and the need to disclose the details of the security breach and respond to comments about it as quickly as possible.
On Tuesday, Okta confirmed some of the claims by cybercriminals known as Lapsus$, and said the group had gained access to some data on 366 (about 2.5%) Okta customers. The group did this by gaining access through a third-party contractor, Sitel.
Banks and credit unions patronizing Okta include Friend, First National of NebraskaAmalgamated Bank, Starling Bank, canadian western bank, Travis Credit Union and Colony Bank. Okta did not specify whether any of its banking customers were affected, but said it had contacted those affected directly.
major non bank Finance related companies Also use Okta, including Nasdaq, FICO, Moody’s, ledge And Western Union, Okta’s systems allow consumers to access their accounts with TransUnion – although neither party has linked the attack to last week’s attack transunion violation – And Equifax Employees also work with Okta technology. Experian Uses Okta’s technology to authenticate both its employees and consumers, and the technology allows financial institutions to access credit and fraud detection services from Experian.
Lapsus$ said it does not “access or steal any databases from Okta”. Okta said the data that Lapsus$ could see was “limited to access that engineers supported”, which does not include the ability to create or delete user identity or login information, nor the ability to download customer databases. .
“Support engineers have access to limited data – eg, Jira” [helpdesk] Tickets and list of users – as seen in the screenshots,” Okta Chief Security Officer David Bradbury said in a blog post. “The support engineer was able to provide the facility for users to reset passwords and multi-factor authentication factors But they are unable to get the password.”
Lapsus$ posted those screenshots on Monday night to its channel on Telegram, a messaging service. Among other items, screenshots show an Okta system called SuperUser, specifically for one of Okta’s major customers, Cloudflare. Internet service provider Okta. Uses up To authenticate your own employees.
This screenshot, released by Lapsus$ to its Telegram channel on Monday evening, shows an Okta system called SuperUser used by Cloudflare. Cloudflare said it has suspended the account seen in the screenshot, but overall the company has not been compromised.
Within two hours of Lapsus$ posting the screenshot, Cloudflare CEO Matthew Prince said in a tweet that “there was no evidence that Cloudflare has been compromised.” The statement came after observers waited for Okta to know what had happened, but he did not come for three hours.
Just before 4:30 p.m. Eastern time on Tuesday, Okta CEO Todd McKinnon said in a tweet Okta detected an “attempt to compromise the account of a third party customer support engineer working for one of our subprocessors” in January. He said the matter was implied, that the screenshots were from the January incident, and that “there was no evidence of ongoing malicious activity.”
To some, the statement appears to be an acknowledgment from Okta that it suffered a security incident in January. Skeptics also said that McKinnon’s claim that the settlement was “failed” didn’t track with what Lapsus$ was showing with its screenshots — cybercriminals had successfully penetrated part of Okta’s system.
Meanwhile, Forbes published a story The company described “fury” toward Okta after months of failing to tell customers about the breach, citing “multiple security professionals,” who declined to comment on the record to Forbes. Wired Published one story Quoting security researcher Bill Demirkapi, who said in a tweet that the situation is “really, really bad.”
— Bill Demirkapi @ shmukon (@BillDemirkapi) 22 March 2022
Okta again published another brief update Confirming about the incident that “Okta service has not been breached and is fully operational” and does not require customers to take any “corrective action”. It later updated the post to say that “a small percentage of customers” were “potentially affected” and that their data was “viewed or acted upon”.
Following the update, Lapsus$ trolled Okta in its Telegram channel, with Okta customers only becoming aware of a breach that occurred in January that day, a complaint filed by others.
“Okta now says 2.5% of customers may be affected and they are contacting them,” said Eva Galperin, director of cybersecurity for the policy advocacy group Electronic Frontier Foundation, linked to the Okta update. “Looks like they should have done something two months ago.”
including companies after a long time cloudflare and cyber security firms Kaspersky Okta security chief Bradbury posted his own timeline and guidance regarding the attack, provided a more definitive update What really happened and what didn’t happen between January and Tuesday.
One of the key details they shared was that it took just two months for a forensics firm to investigate the January incident on behalf of Sitel, a subprocessor who hired Okta with contract workers for their customer support tasks. provides. Lapsus$, Bradbury said, had gained access to the Sitel employee’s laptop.
“The scenario here is similar to walking away from your computer in a coffee shop, where a stranger (literally in this case) has sat down at your machine and is using a mouse and keyboard,” Bradbury said in a blog post.
Sitel retained a forensic firm to investigate the incident, but it took nearly two months for the firm to complete the evaluation and another week for Sitel to share the results with Okta. Bradbury said Sittel shared the report on March 17, and Lapsus$ shared screenshots of the breach five days later — apparently before Okta reviewed the report in its entirety.
“I am deeply disappointed in the long time between our notification to the site and the release of the full investigation report,” Bradbury said in a blog post. “On reflection, once we have received the site summary report, we should have moved more quickly to understand its implications.”