Skip links

Authentication oufit Okta investigating Lapsus$ breach report

The Lapsus$ extortion crew has turned its attention to identity platform Okta and published screenshots purportedly showing the group gaining access to the company’s internals.

The incident follows the group’s claim over the weekend that it had made off with chunks of Microsoft’s code. However, a compromise at Okta could be altogether more serious since the company’s services are used by many others to manage network and application access as well as user identities.

At first glance, it appears that the group gained access to a “superuser” account as well as other internal tools. Okta has yet to confirm this is the case.

Also concerning is the fact that the screenshots appear to come from January 2022, which could mean there has been access for a while. It could also be that some sort of compromise occurred briefly, and the hackers have chosen now to show off their prowess. Okta CEO Todd McKinnon reckoned it was the latter.

Either way, if a breach occurred, the implications are grave. Oliver Pinson-Roxburgh, CEO of security outfit Bulletproof, warned: “As the gatekeeper to the networks and data of thousands of organizations, a breach at Okta would have significant consequences.”

“Even before the veracity of such an incident is confirmed,” he went on, “it is imperative for businesses to take proactive steps now – any delay risks the potential attack spreading.”

Oz Alashe, CEO of CybSafe and chair of the UK government’s DCMS Industry Expert Advisory Group on Cyber Resilience, said: “The potential attack on Okta is a striking reminder of the supply chain’s cyber risks. Cybercriminals will often identify the route of least resistance. An authentication tool such as Okta provides the opportunity to breach hundreds of large enterprises in one sweep.”

However, Alashe cautioned: “While Okta’s investigation is ongoing, it’s important the security community doesn’t jump to conclusions and harass its security team at this challenging time.”

That said, some companies were taking no chances. Cloudflare, which uses Okta as an identity provider, announced it would be resetting the Okta credentials of employees. Just in case.

The Register contacted Okta for comment, but the company only repeated the tweeted comments of McKinnon.

While the investigation continues, lets take a moment to review Okta’s recent emissions from its social media orifice. We fervently hope that this one won’t end up in the “aged badly” bucket. ®