The ransomware group claims that it has had access to customer records since January 2022; Okta says there is no evidence of ongoing malicious activity. Ransomware group LAPSUS$ has claimed to have breached the internal systems of cloud-based authentication software provider Okta.The breach was first flagged on Twitter by Bill Demirkapi, a senior security engineer at video conferencing company Zoom, at 8:15pm Pacific Time on Monday night.According to the LAPSUS$ screenshots, taken from the secure messaging service Telegram and posted online by Demirkapi and others, the ransomware group said it did not target Okta’s databases, instead focusing on Okta customers. It also showed possible superuser access, and screenshots of Okta’s internal Jira and Slack instances.At 1:23am Pacific Time on Tuesday, Okta CEO Todd McKinnon responded on Twitter: In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.Despite earlier claims that it had not been breached, Okta then issued another statement later that day asserting that “a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon,” but that “the Okta service is fully operational, and there are no corrective actions our customers need to take.”In that statement, chief security officer David Bradbury explained that “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” and therefore any breach was limited to the access level a support engineer typically has, including Jira tickets and lists of users, but not the ability to create or delete users, or download customer databases. “We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted,” Bradbury wrote.Cloudflare CEO Matthew Prince had earlier tweeted that, while his company had not confirmed a compromise, it would be “resetting the Okta credentials of any employees who’ve changed their passwords in the last four months, out of abundance of caution” and that it would be “evaluating alternatives” to the authentication software.LAPSUS$ is the same ransomware group that recently successfully breached both Samsung and Nvidia.Jake Moore, global cyber security advisor at ESET, warned: “Okta’s customers, along with customers of companies who also rely on the technology, must now be extra vigilant and cautious of any suspicious activity on their accounts, especially from unsolicited emails.” Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe