Okta says data leak came from breach of third-party customer support provider

A hacking group that recently extorted Samsung, Nvidia and Microsoft after stealing and publishing their source code said Monday it also accessed systems used by Okta, a major tech vendor to finance and other industries.

Okta’s services vary among the large range of customers it boasts, but its core business relates to identity management — knowing who is a customer and managing who gets access to information and systems.

The incident is a cautionary tale about the security dangers of working with third parties, the reputational damage that can come from hackers’ leaks, and the need to disclose details of a security breach and respond to comments about it as quickly as possible.

On Tuesday, Okta confirmed some of the claims by the cybercriminals, known as Lapsus$, and said the group had gained access to certain data on 366 (approximately 2.5% of) Okta customers. The group did so by gaining access through a third-party contractor, Sitel.

Among the banks and credit unions that patronize Okta are Ally, First National of Nebraska, Amalgamated Bank, Starling Bank, Canadian Western Bank, Travis Credit Union and Colony Bank. Okta did not specify whether any of its banking customers were affected but said it had directly contacted those that were affected.

Major nonbank companies related to finance also use Okta, including Nasdaq, FICO, Moody’s, Brinks and Western Union. Okta’s systems allow consumers to access their accounts with TransUnion — though no party has linked the attack to last week’s TransUnion breach — and Equifax employees also work with Okta technology. Experian uses Okta’s technology to authenticate both its employees and consumers, and the technology allows financial institutions to access credit and fraud detection services from Experian.

Lapsus$ said it “did not access” or steal “any databases from Okta.” Okta said the data Lapsus$ could see was “limited to the access that support engineers have,” which does not include the ability to create or delete user identity or login information, nor the ability to download customer databases.

“Support engineers do have access to limited data — for example, Jira [helpdesk] tickets and lists of users — that were seen in the screenshots,” David Bradbury, chief security officer for Okta, said in a blog post. “Support engineers are also able to facilitate the resetting of passwords and multifactor authentication factors for users, but are unable to obtain those passwords.”

Lapsus$ posted those screenshots in its channel on Telegram, a messaging service, Monday night. Among other items, the screenshots show an Okta system called SuperUser, specifically for one of Okta’s major customers, Cloudflare. The internet services provider uses Okta to authenticate its own employees.

Within two hours after Lapsus$ posted the screenshot, Cloudflare CEO Matthew Prince said in a tweet that there was “no evidence that Cloudflare has been compromised.” The statement came as observers awaited word from Okta itself about what had happened, but that did not come for another three hours.

Just before 4:30 a.m. Eastern Time on Tuesday, Okta CEO Todd McKinnon said in a tweet that Okta detected in January “an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors.” He added that the matter was contained, that the screenshots were from the January event, and that there was “no evidence of ongoing malicious activity.”

For some, the statement seemed to constitute an admission from Okta that it had suffered a security incident in January. Skeptics also said McKinnon’s claim that the compromise was “unsuccessful” did not track with what Lapsus$ seemed to show with its screenshots — that the cybercriminals had successfully gotten into part of Okta’s systems.

In that midst, Forbes published a story describing “fury” toward Okta after the company failed for months to tell customers about a breach, citing “multiple security professionals” who declined to comment on the record to Forbes. Wired published a story citing the security researcher Bill Demirkapi, who said in a tweet the situation was “really, really bad.”

Okta then published another brief update about the incident affirming the “Okta service has not been breached and remains fully operational” and that customers did not need to take any “corrective actions.” It later updated the post to say that a “small percentage of customers” had “potentially been impacted” and had their data “viewed or acted upon.”

After the update, Lapsus$ trolled Okta in its Telegram channel, including by pointing out Okta customers had only learned that day about a breach that happened in January, a complaint others also made.

“Okta now says 2.5% of customers may have been impacted and they are contacting them,” said Eva Galperin, director of cybersecurity for the policy advocacy group Electronic Frontier Foundation, linking to the Okta update. “This seems like something they should have done two months ago.”

Long after companies including Cloudflare and the cybersecurity firm Kaspersky posted their own timelines and guidance about the attack, Bradbury, the Okta security chief, provided a more definitive update about what exactly happened and did not happen between January and Tuesday.

One of the key details he shared was that it took just under two months for a forensic firm to investigate the January incident on behalf of Sitel, a subprocessor that provides Okta with contract workers for its customer support operations. Lapsus$, Bradbury said, had gained access to the laptop of a Sitel employee.

“The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard,” Bradbury said in a blog post.

Sitel retained a forensics firm to investigate the incident, but it took nearly two months for the firm to complete the assessment and another week for Sitel to share the results with Okta. Bradbury said Sitel shared the report on March 17, and Lapsus$ shared screenshots from the breach five days later — apparently before Okta even fully reviewed the report.

“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” Bradbury said in a blog post. “Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”