LAPSUS$ ransomware group claims Okta breach

Ransomware group LAPSUS$ has claimed to have breached the internal systems of cloud-based authentication software provider Okta.

The breach was first flagged on Twitter by Bill Demirkapi, a senior security engineer at video conferencing company Zoom, at 8:15pm Pacific Time on Monday night.

According to the LAPSUS$ screenshots, taken from the secure messaging service Telegram and posted online by Demirkapi and others, the ransomware group said it did not target Okta’s databases, instead focusing on Okta customers. It also showed possible superuser access, and screenshots of Okta’s internal Jira and Slack instances.

At 1:23am Pacific Time on Tuesday, Okta CEO Todd McKinnon responded on Twitter:

In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.

Despite earlier claims that it had not been breached, Okta then issued another statement later that day asserting that “a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon,” but that “the Okta service is fully operational, and there are no corrective actions our customers need to take.”

In that statement, chief security officer David Bradbury explained that “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” and therefore any breach was limited to the access level a support engineer typically has, including Jira tickets and lists of users, but not the ability to create or delete users, or download customer databases.

“We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted,” Bradbury wrote.

Cloudflare CEO Matthew Prince had earlier tweeted that, while his company had not confirmed a compromise, it would be “resetting the Okta credentials of any employees who’ve changed their passwords in the last four months, out of abundance of caution” and that it would be “evaluating alternatives” to the authentication software.

LAPSUS$ is the same ransomware group that recently successfully breached both Samsung and Nvidia.

Jake Moore, global cyber security advisor at ESET, warned: “Okta’s customers, along with customers of companies who also rely on the technology, must now be extra vigilant and cautious of any suspicious activity on their accounts, especially from unsolicited emails.”