Identity management as-a-service platform Okta says the Lapsus$ extortion gang may in fact have managed to access some of its customers’ data. An updated post detailing Okta’s response to claims of an intrusion into the service sees chief security officer David Bradbury reveal “a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon.” Bradbury has not described the data that may have been viewed, but as Okta’s core service is single sign-on for thousands of cloud services, the possibility that customers’ credentials have leaked to unknown parties cannot be discounted. Okta claims to have more than 15,000 customers, so if 2.5 percent have been compromised, that could be 375 organizations that now need to determine if all logons to their preferred clouds – and the actions taken by authenticated users – were legitimate and/or innocuous. Those investigations need to include all sessions since January 16, the date Okta named in previous statements as the day that attackers compromised a single laptop used by a support engineer working for one of Okta’s suppliers.
It is recommended for all organizations that use Okta for single sign-on (SSO) to force password resets on all Okta credentials and to investigate any suspicious sessions since January 16th. The updated statement from Okta can be found here: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/