Yesterday was not a great day for Okta. Their CSO, David Bradbury, issued a statement responding to Lapsus$’s claimed hack, but his statement led to a counter-response by Lapsus$ and even more critically, perhaps, people started asking why, if Okta knew about something in January, they had not disclosed it then.
First, here’s Bradbury’s statement:
The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.
In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.
Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.
The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.
We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.
We take our responsibility to protect and secure our customers’ information very seriously. We are deeply committed to transparency and will communicate additional updates when available.
Lapsus$ didn’t take long to respond:
I do enjoy the lies given by Okta.
1. We didn’t compromise any laptop? It was a thin client.
2. “Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider.” –
I’m STILL unsure how its a unsuccessful attempt? Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn’t successful?4. For a company that supports Zero-Trust. *Support Engineers* seem to have excessive access to Slack? 8.6k channels?
5. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords. –
Uhm? I hope no-one can read passwords? not just support engineers, LOL. – are you implying passwords are stored in plaintext?6. You claim a laptop was compromised? In that case what *suspicious IP addresses* do you have available to report?
7. The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.
8. If you are committed to transparency how about you hire a firm such as Mandiant and PUBLISH their report? I’m sure it would be very different to your report 🙂
In response, Okta issued a second statement yesterday:
As we shared earlier today, we are conducting a thorough investigation into the recent LAPSUS$ claims and any impact on our valued customers. The Okta service is fully operational, and there are no corrective actions our customers need to take.
After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.
Our customers are our pride, purpose, and #1 priority. We take our responsibility to protect and secure customers’ information very seriously. We deeply apologize for the inconvenience and uncertainty this has caused.
I will also be hosting a live webinar tomorrow, Wednesday, March 23, to share more technical details. The webinar will occur at 8 am PDT and again at 4 pm PDT to accommodate our global customers. Please register here.
We immensely value our customers’ business and the trust they put in Okta.
For its part, Lapsus$ ended the day with a notice that some of them will be on vacation until March 30:
A few of our members has a vacation until 30/3/2022.
We might be quiet for some times.
Thanks for understand us. – we will try to leak stuff ASAP.