Okta investigating claims of customer data breach from Lapsus$ group

Okta, a leading provider of authentication services and Identity and access management (IAM) solutions says it is investigating claims of data breach.

On Tuesday, data extortion group Lapsus$ posted screenshots in their Telegram channel of what it alleges to be access to Okta's backend adminsitrative consoles and customer data.

As a publicly-traded company worth over $6 billion, Okta employs over 5,000 people across the world and provides identity management and authentication services to major organizations including Siemens, ITV, Pret a Manger, Starling Bank, among others.

Lapsus$ claims to have Okta customer data

Data extortion group Lapsus$ claims to have acquired "superuser/admin" access to Okta.com and that it accessed Okta's customer data, as seen by BleepingComputer:

"Okta is aware of the reports and is currently investigating," an Okta spokesperson told BleepingComputer.

"We will provide updates as more information becomes available."

Screenshots shared by Lapsus$, as seen by BleepingComputer, show the system date set to January 21st, 2022, indicating the hack may have occurred months ago.

One of the screenshots displaying Lapsus$' 'superuser' access to Okta's admin console also includes an URL with an email belonging to an Okta customer support representative who was likely compromised.

Okta co-founder and CEO Todd McKinnon has now confirmed this:

In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)

— Todd McKinnon (@toddmckinnon) March 22, 2022

"We believe the screenshots shared online are connected to this January event," says McKinnon.

"Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."

However, one of the posted screenshots indicates that Lapsus$ could change customer passwords using Okta's admin panel.

Security researchers are worried that the hacking group could have used this 'superuser' access as a way to breach customer's servers who use the company's authentication solutions.

Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. pic.twitter.com/PY4dIzfwvM

— _MG_ (@_MG_) March 22, 2022

Lapsus$ also reinforced this theory when they said they did not attack Okta to steal the company's databases, but rather to target their customers.

"BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA - our focus was ONLY on okta customers," Lapsus$ stated in a post on Telegram.

With many well-known companies using Okta's services, including Fedex, Peloton, SONOS, T-Mobile, Hewlett Packard Enterprise, and JetBlue, this is obviously of significant concern.

Lapsus$ is on a leaking binge

The development follows Lapsus$' claims that it breached Microsoft's internal Azure DevOps server.

On Monday, Lapsus$ leaked what it claims to be 37 GB of stolen source code for Bing, Cortana, and other Microsoft projects, and Microsoft confirmed it was investigating.

Additionally, the group claimed today that it breached LG Electronics (LGE) for the "second time" in a year. BleepingComputer has not confirmed this claim and has reached out to LG:

Lapsus$ has previously leaked gigabytes of proprietary data purportedly stolen from leading companies such as Samsung, NVIDIA, and Mercado Libre who confirmed this month it had suffered a breach.

Data extortion groups like Lapsus$ breach victims, but as opposed to encrypting confidential files like a ransomware operator would, these actors steal and hold on to victims' proprietary data, and publish it should their extortion demands not be met.

If Lapsus$'s claims of breaching Okta's systems turn out to be accurate, it remains yet to be found out how many of Okta's customers were impacted and to what extent.

Update March 22nd, 5:24 AM ET: Added new statement from Okta CEO McKinnon.