Management of Okta admitted they didn’t immediately disclose details about the Lapsus$ attack in vain

Okta and the Lapsus$ Attack

Last week it became known that back in January this year, the Lapsus$ hack group compromised a major provider of access and identity management systems, Okta, and the attack affected about 2.5% of customers.

Between January 16 and 21, 2022, hackers had access to a support engineer’s laptop and the company now admits the hack should have been made public sooner.

In the company blog, Okta representatives expressed regret that they did not disclose details about the Lapsus$ hack earlier, and also shared a detailed chronology of the incident and its investigation. I note that after the news of the hack, the company’s shares fell by 20% in less than a week.

Okta and the Lapsus$ Attack

As it turns out, the hack affected Sitel, Okta’s third-party customer support provider.

On January 20, 2022, the Okta Security team was notified that a new factor has been added to the Sitel Customer Support Engineer account. That factor was the password. Although this particular attempt [of the attack] was not successful, as a precaution, we nullified this account and notified Sitel about what happened, and they brought in leading cybercriminologists to conduct an investigation.says the company.

Okta says it made a mistake at this stage, because ultimately Okta itself is responsible for its contracted service providers (such as Sitel). The statement also emphasizes that in January the scale of the incident was seriously underestimated, because then it seemed that everything was limited to an unsuccessful attempt to take over the account of a Sitel support engineer. In any case, the cybercriminalists involved in the investigation of the incident came to such conclusions.

We did not realize at the time that there was a risk to Okta and our customers. We should have been more active in demanding information from Sitel. In light of the evidence that we have gathered over the past week, it is clear that we would have made a different decision then if we had all the facts we have today.

Okta reiterated that the attack affected only 2.5% (366 companies) of customers, and also emphasized that the compromised Sitel engineer account could be used to repeatedly reset user passwords, but could not be used to log into their accounts, had limited access to Jira tickets and support systems, and was unable to upload, create, or delete customer records.

As a reminder, the hackers last week disputed Okta’s claim that the hack was generally unsuccessful, claiming that they” logged into the portal [as] superuser with the ability to reset the password and MFA for ~ 95% of clients.”

Let me also remind you that we were told that Lapsus$ hack group stole the source codes of Microsoft products.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *