The hackers dispute Okta’s claim that the hack was unsuccessful.
Approximately 375 customers (2.5%) of Okta were allegedly affected by a cyber attack by the Lapsus$ ransomware group. An Okta spokesperson confirmed that in January of this year, hackers tried to break into the laptop of one of the support engineers.
As the results of the investigation of the cyber incident showed, the attackers had access to the laptop from January 16 to January 21, 2022, during which they could access the Okta customer support panel and the company’s Slack server.
Screenshots previously posted by Lapsus$ show the email address of an Okta employee who apparently had “superuser” privileges to list users, reset passwords, reset MFA, and access support tickets.
“Help engineers have access to limited data, such as Jira tickets and user lists, which were visible in the screenshots. Help desk engineers can also make it easy for users to reset passwords and multi-factor authentication, but they cannot retrieve those passwords,” Okta explained.
The Lapsus$ screenshots also show the email address of a Cloudflare employee whose password was about to be reset by the hackers who compromised the Okta employee’s account. The company’s email account was suspended approximately 90 minutes after its Security Incident Response Team (SIRT) was first notified of a potential problem, Cloudflare said .
Cloudflare noted that Okta’s services are used internally to identify employees, integrated into the authentication stack, and its customers have nothing to worry about “unless they use Okta themselves.” To eliminate any possibility of unauthorized access to its employee accounts, Cloudflare has reviewed all password resets or MFA changes since December 1, 2021.
In response to Okta’s statements, the Lapsus$ group shared their part of the story. According to the criminals, they compromised not an Okta employee’s laptop, but their thin client (a low-performance system that remotely connects to a virtual environment to perform tasks). The hackers dispute Okta’s claim that the hack was unsuccessful. According to them, they “logged into the superuser portal with the ability to reset the password and MFA of approximately 95% of the customers.”