Identity and access management vendor Okta on Wednesday shared findings from its in-depth investigation of the January 2022 security breach, reportedly conducted by prolific cyber extortionists Lapsus$. The results may surprise you.
The Okta breach by cyber extortionists Lapsus$ is significantly smaller than initially anticipated. According to the cybersecurity company, which concluded its investigation into the January 2022 incident this week, Lapsus$ was able to access just two active customer tenants in the Okta environment.
Researchers initially expected that Lapsus$ impacted at least 366 organizations that used Okta’s services. This number would correspond to 2.5% of Okta’s ~15,000 customer organizations. Okta said its investigation covered the five-day window between January 16 and 21. To Okta and its customers’ respite, the threat actors had control for 25 consecutive minutes on January 21, 2022.
The breach itself was a result of Lapsus$ gaining access to a workstation of one of Sitel’s customer support engineers. This system had access to Okta infrastructure and resources. Besides the two unnamed customers, Lapsus$ also had “limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.â€
Okta said that Lapsus$ couldn’t make any configuration changes, MFA or password resets, or impersonate customer support engineers.
The Okta breach by Lapsus$ preceded other breaches, extortion attempts, and data leaks by Lapsus$ such as NVIDIA, Samsung, Ubisoft, Microsoft, etc. But its disclosure by the threat group nonetheless came right on the heels of these high-profile data leaks, which put the cybersecurity community at unease.
See More: Lapsus$ Claims Okta Breach, Triggering Fears of Digital Supply Chain Attacks
The fact that Okta didn’t disclose until Lapsus$ posted the screenshots on their Telegram, the unpredictability and immaturity in the threat actors’ operations, and the initially anticipated scope of the attack on Okta, added fuel to the fire. This earned the San Francisco, CA-based cybersecurity company some rightful criticism from the industry.
Okta CSO David Bradbury rightly puts it: “While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta.â€
“We recognize how vital it is to take steps to rebuild trust within our broader customer base and ecosystem. The conclusions from the final forensic report do not lessen our determination to take corrective actions designed to prevent similar events and improve our ability to respond to security incidents,†Bradbury added.
As part of the mitigation measures, Okta has offered a final forensic report and Okta Security Action Plan, which details the company’s short and long-term security plans, including third-party processors through which the January breach occurred. The company also terminated its relationship with Sitel.
Okta is also taking it upon itself to manage all third-party devices with access to Okta resources and is mandating Zero Trust architecture for sub-processors.
In March, the London police arrested seven alleged Lapsus$ members, including a 16-year-old, from the U.K. However, it is widely believed that the group has origins in South America. After the arrests in the U.K., Lapsus$ continued with its malicious activities and released 70 GB of Globant data late in March 2022.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!