Last week it became known that back in January this year, the Lapsus$ hack group compromised a major provider of access and identity management systems, Okta, and the attack affected about 2.5% of customers.
Between January 16 and 21, 2022, hackers had access to a support engineer’s laptop and the company now admits the hack should have been made public sooner.
In the company blog, Okta representatives expressed regret that they did not disclose details about the Lapsus$ hack earlier, and also shared a detailed chronology of the incident and its investigation. I note that after the news of the hack, the company’s shares fell by 20% in less than a week.
As it turns out, the hack affected Sitel, Okta’s third-party customer support provider.
Okta says it made a mistake at this stage, because ultimately Okta itself is responsible for its contracted service providers (such as Sitel). The statement also emphasizes that in January the scale of the incident was seriously underestimated, because then it seemed that everything was limited to an unsuccessful attempt to take over the account of a Sitel support engineer. In any case, the cybercriminalists involved in the investigation of the incident came to such conclusions.
Okta reiterated that the attack affected only 2.5% (366 companies) of customers, and also emphasized that the compromised Sitel engineer account could be used to repeatedly reset user passwords, but could not be used to log into their accounts, had limited access to Jira tickets and support systems, and was unable to upload, create, or delete customer records.
As a reminder, the hackers last week disputed Okta’s claim that the hack was generally unsuccessful, claiming that they” logged into the portal [as] superuser with the ability to reset the password and MFA for ~ 95% of clients.”
Let me also remind you that we were told that Lapsus$ hack group stole the source codes of Microsoft products.
