Hundreds of companies affected by Okta breach, while London police arrested seven potential Lapsus$ members.
It has been a busy week for hacking and extortion collective Lapsus$. It first leaked what it claimed to be employee account information from LG Electronics, as well as source code for a variety of Microsoft products. A few hours later, the group also released screenshots indicating it had breached identity and access management company Okta. News of the potential breach spread quickly online. Okta provides a single sign-on service for large organizations that allows employees to log in to multiple systems without requiring a different password for each one. An Okta hack could have potentially severe implications for customers. Okta published a preliminary statement on Tuesday morning, indicating that the screenshots Lapsus$ released came from « an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors » that occurred in January this year. A second statement from David Bradley, Chief Security Officer at Okta, provided more details about the « unsuccessful attempt » to breach the support engineer’s account. While reassuring customers that « the Okta service has not been breached and remains fully operational », he also admitted that a forensic investigation found « there was a five-day window of time between January 16-21,2022, where an attacker had access to a support engineer’s laptop ». Bradley insisted, however, that « [t]he potential impact to Okta customers is limited to the access that support engineers have », noting in particular that the hacking group cannot download customer data and does not have access to passwords. Independent security researcher Bill Demirkapi provided further details to TechRadar Pro via email. He explained that the third-party support engineer appeared to work for SYKES Enterprises, Inc, now confirmed by Okta, and that, « using the access this support staff had, Lapsus$ was able to breach Okta’s internal Slack, Jira, and backend administrative access panel used to assist customers ». He added that, « at this time, it does not appear like Lapsus$ still has access to Okta’s environment. » On Tuesday afternoon, Lapsus$ responded to Bradley’s statement in its Telegram channel, taking issue with his characterization of the attack as “unsuccessful ».
