A statement from Okta’s representative revealed that about 2.5% of their clients’ data might have been impacted by the data breach that transpired last March 22, executed by the Lapsus$ threat group. Even though Okta has not provided further details about the attack’s impact, they added that the affected clients are allowed to analyze the issue through the report provided.
The data breach against Okta was discovered after the Lapsus$ threat group posted screenshots on their Telegram channel. On the post, the threat group claimed to have acquired a huge amount of sensitive data from the solutions firm by accessing the superuser/admin on Okta’s website.
Lapsus$ hackers intruded on a computer of an Okta support engineer from Sitel via remote access.
Okta contracted Sitel for customer support services. As observed from the screenshots posted by the threat group, it could be seen that the computer used is from a Sitel employee, wherein the hackers have infiltrated using remote desktop protocol or RDP.
The support engineer manages Okta’s client tenants through an internal app called ‘SuperUser,’ which the hackers have had accessed from January 16 to 21 of this year. The threat actors disconnected from the server upon attempting to add a new MFA coming from an unusual location.
As Okta’s security team began probing the attack incident, they discovered that approximately 2.5% of their overall customer base had been impacted. This conclusion is based on the time frame that the Lapsus$ threat group had access to inside the SuperUser app used by the Sitel support engineer.
The solutions firm also requested an investigation report from Sitel; however, the latter has submitted the report later than expected, which slowed down the incident analysis from Okta’s end.
Another leaked screenshot has shown an email address of a Cloudflare employee with a popup from the screen displaying a hacker imitating an Okta employee. Experts believe this evidence shows that a password resetting was initiated, but Cloudflare explained that the password reset was for employees who reset their passwords between December 1 last year and March 22.
Cloudflare also added that aside from Okta, they are also using other layers of security within their organization, especially since Okta’s data breach issue has made noise enough for firms to consider other options.
