Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Okta Closes Lapsus$ Breach Probe, Adds New Security Controls

Identity and access management tech firm Okta says it has concluded an investigation into the embarrassing Lapsus$ hacking incident and has severed ties with a third-party company at the center of the breach.

Identity and access management tech firm Okta says it has concluded an investigation into the embarrassing Lapsus$ hacking incident and has severed ties with a third-party company at the center of the breach.

Facing public criticism for communications hiccups after the breach was detected, Okta issued a public statement Wednesday to stress that the impact from the incident was “significantly smaller than we initially scoped.”

A statement from Okta’s Chief Information Security Officer (CISO) David Bradbury said the company initially determined that about 366 customers were affected but a third-party forensic audit showed the damage was contained. 

Bradbury described the main conclusions from the audit, which was conducted by an unnamed globally recognized cybersecurity forensic firm:

  • The threat actor actively controlled a single workstation, used by a Sykes/Sitel support engineer, with access to Okta resources.
  • Control lasted for 25 consecutive minutes on January 21, 2022.
  • During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.
  • The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support “impersonation” events. 
  • The threat actor was unable to authenticate directly to any Okta accounts. 

“While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta,” Bradbury said.

He said Okta had terminated its relationship with Sykes/Sitel and will now “directly manage” all devices of third parties that access its  customer support tools.

“We are making further modifications to our customer support tool to restrictively limit what information a technical support engineer can view. These changes also provide greater transparency about when this tool is used in customer admin consoles,” Bradbury added.

Related: The Chaos (and Cost) of the Lapsus$ Hacking Carnage

Related: Microsoft, Okta Confirm Data Breaches Involving Compromised

Advertisement. Scroll to continue reading.

Related: Credentials of 71,000 NVIDIA Employees Leaked by Lapsus$ 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...