Okta Compromised by LAPSUS$
Written By: Austin Miller
It’s every security company’s worst nightmare – a serious breach. But that’s exactly what has happened to cloud access management software provider Okta this week. Was Okta Compromised by LAPSUS$? Although some details are still hazy, it seems like a lapse in the judgement of a third-party customer support engineer lead to credentials being leaked onto the internet.
What is Okta?
Okta is a popular cloud access management service that has grown in popularity since being launched in 2009. It is also the latest victim in the string of attacks staged by the hacker group LAPSUS$, believed to be based in South America.
Was Okta Compromised by LAPSUS$ ? What has Okta said about the incident?
Despite the leak occurring in January, it wasn’t until March 22nd that Okta made the announcement that the breach had happened at all. It seems that the prompt for the public disclosure of the breach came from LAPSUS$ forcing Okta’s hand and posting the following images online:
After the incident, a series of posts by David Bradbury, Okta CSO, were put on the Okta blog, stating that the breach had been minor and that the reported superuser rights gained by the adversary only gave them access to:
- Resetting password functionality
- Rights to prompt MFA setups
The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.
Bradbury’s full statement can be read here.
LAPSUS$ disagrees, however…
Somewhat unusually for a hacking group, LAPSUS$ immediately launched a response back at Bradbury that read as such:
Despite Bradbury’s statements, an irritated LAPSUS$ collaborator tore through Okta’s mitigating response. Included in the rant were:
- Doubts about whether a laptop had been compromised at all
- Refusal to downplay the access to password reset rights to 95% of accounts
- Details about access to Okta’s Slack channels
- Concerns about whether anyone should be able to access Okta’s passwords
The LAPSUS% gang posted the above message to its Telegram group and pointed fingers at Sykes Enterprises. The contracted company for Okta services in Costa Rica, the Sitel Group subsidiary company was targeted by hackers in January and
Cloudflare gets involved
Okta’s most famous customer is Cloudflare and a combined statement from John Graham-Cumming, Lucas Ferreira, and Daniel Stinson-Diess stated that they held their own investigation into the incident after it became public knowledge. This implies that Cloudflare did not know what was happening in January when the incident occurred.
Thankfully for Cloudflare’s extensive customer base, the team only uses Okta internally. Included in the blog post were a number of articles explaining how the team only uses the access management software internally as well as using password best practices like hardware tokens to avoid account takeovers.
In case you find yourself in a similar position to Cloudflare in the near future, here was their workflow to stop account takeovers:
- Reach out to the offended party for more information
- Suspend all accounts which seem to be breached
- Analyse system logs for indicators of compromise, e.g. password changes, hardware token changes. If you are using Okta, the following event types will help in your research:
- user.account.reset_password
- user.mfa.factor.update
- system.mfa.factor.deactivate
- user.mfa.attempt_bypass
- user.session.impersonation.initiate
- Assess email logs to view password resets
- Create a list of all employees who have had their passwords changed since the incident and investigate in retrospect.
How can I defend my organization?
Although it appears that this attack was little more than opportunistic identity theft by a reportedly talented teenager, this story is another showcase of the weakest part in every cybersecurity system – the human element. Okta has done everything right at every stage, but LAPSUS$’s screenshots and replies have potentially caused significant reputational damage to the San Francisco-based company.
If you are an Okta or Cloudflare user, there is very little for you to do at this stage if you have not already been contacted. Okta’s quick response meant that the 2.5% of their customers that were affected – reportedly 366 victims – have already been in touch with the access management company and have had their security ensured. If you were not in this small group, you will be unaffected.
But instead of a lesson about Okta’s specific case, cybersecurity professionals should use this breach as a cautionary tale for understanding their own third-party provisions. Within the cybersecurity industry, reputation is everything. Robust user training is not only necessary for your organization, but for all third parties that you choose to work with.
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes. Join the newsletter here.