The ransomware group claims that it has had access to customer records since January 2022; Okta says there is no evidence of ongoing malicious activity. Ransomware group LAPSUS$ has claimed to have breached the internal systems of cloud-based authentication software provider Okta.The breach was first flagged on Twitter by Bill Demirkapi, a senior security engineer at video conferencing company Zoom, at 8:15pm Pacific Time on Monday night.According to the LAPSUS$ screenshots, taken from the secure messaging service Telegram and posted online by Demirkapi and others, the ransomware group said it did not target Okta’s databases, instead focusing on Okta customers. It also showed possible superuser access, and screenshots of Okta’s internal Jira and Slack instances.At 1:23am Pacific Time on Tuesday, Okta CEO Todd McKinnon responded on Twitter: In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.Despite earlier claims that it had not been breached, Okta then issued another statement later that day asserting that “a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon,” but that “the Okta service is fully operational, and there are no corrective actions our customers need to take.”In that statement, chief security officer David Bradbury explained that “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” and therefore any breach was limited to the access level a support engineer typically has, including Jira tickets and lists of users, but not the ability to create or delete users, or download customer databases. “We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted,” Bradbury wrote.Cloudflare CEO Matthew Prince had earlier tweeted that, while his company had not confirmed a compromise, it would be “resetting the Okta credentials of any employees who’ve changed their passwords in the last four months, out of abundance of caution” and that it would be “evaluating alternatives” to the authentication software.LAPSUS$ is the same ransomware group that recently successfully breached both Samsung and Nvidia.Jake Moore, global cyber security advisor at ESET, warned: “Okta’s customers, along with customers of companies who also rely on the technology, must now be extra vigilant and cautious of any suspicious activity on their accounts, especially from unsolicited emails.” Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe