Example blog

Fury As Okta, the company that manages 100 million connections, fails to notify customers of the breach for months

Okta, the $25 billion market cap company that manages logins for more than 100 million users, today confirmed that it suffered a breach in January via a third-party customer support provider. But for some customers who spoke to Forbesthe disclosure was too late and too poor in information.

Okta’s admission came after a hacking team called LAPSUS$, which extorts its targets after stealing their data and often leaks victim information in public forums, claimed it violated the business. LAPSUS$ previously claimed to have stolen data from major security companies, including NVIDIA and Microsoft, leading the two to investigate the alleged breaches. The crew posted screenshots showing access to Okta’s apparent internal systems in a bid to prove the breach was real.

In a statement on Tuesday, Okta said, “In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our contractors. The matter was investigated and brought under control by the sub-contractor. We believe the screenshots shared online are related to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January. The company had not responded to further questions about the severity of the attack.

That support provider targeted by hackers, according to screenshots provided by LAPSUS$ on its Telegram group, is Sykes Enterprises, which is under contract with Okta for Costa Rican customer services. The company, which is part of the Sitel group, said Forbes that “parts of the Sykes network” had been breached in January, and “We took prompt action to contain the incident and protect all potentially affected customers.

“Following actions taken by our global security and technology teams, a global cybersecurity leader has been engaged to conduct an immediate and full investigation into the matter. Following the completion of the initial investigation, together with the global cybersecurity leader, we continue to investigate and assess potential security risks to our infrastructure and to the brands we support around the world,” said the spokesperson.

“As a result of the investigation, as well as our ongoing assessment of external threats, we are satisfied that there is no longer a security risk.”

Although Okta’s statement indicates that the hack is not serious, what has concerned viewers and customers alike is Okta’s communication, or lack thereof. It’s been nearly two months since the initial hack and no word from the company until Tuesday, shortly after LAPSUS$ claimed the breach. Several security professionals who spoke with Forbes said they were outraged by Okta’s lack of disclosure, but declined to comment on the filing.

Matthew Prince, CEO of Cloudflare, went so far as to say that his web security company was considering other options for its single sign-on technology, which is designed to allow employees one password for many services, not needing only a unique code to access it. apps.

Concerns about the severity of the attack remain, despite Okta’s attempts to minimize the breach. Screenshots provided by LAPSUS$ indicate that a single Sykes user was granted so-called super user access, apparently granting him permission to reset user passwords and view activity. client. Hackers also showed access to an Okta Slack channel. Okta has yet to comment on those aspects of the breach. According to its own documentation, Sykes employees’ access to Okta’s data should be limited to data in its internal Salesforce and Amazon Web Services applications.

Jon Oberheide, former co-founder of Okta rival Duo Security, tweeted that Okta’s explanation and apparent downplaying of the breach should be taken “with a grain of salt”. He then described a case where Okta also downplayed its vulnerability to being hacked by multiple single sign-on providers, including Duo.

LAPSUS$ has been particularly critical of Okta, writing in its Telegram group: “For a service that powers the authentication systems of many of the biggest companies. . . I think these security measures are pretty poor. He noted that many of those customers have been authorized to provide services to the U.S. government through FedRAMP certification, which greenlights the software for use by federal agencies after verifying its security.

So far, Okta’s lack of communication about the nature and severity of the breach is driving customer anger, not to mention panic. “A breach at Okta could have potentially disastrous consequences,” said Ekram Ahmed, spokesman for cybersecurity firm Check Point. “If you are an Okta customer, we urge you to exercise extreme vigilance and adopt cybersecurity practices. The full extent of the cybergang’s resources should be revealed in the coming days.

As for LAPSUS$, it continues to embarrass big tech companies and remains an enigmatic criminal gang. According to a Check Point analysis, it is a “Portuguese hacking group from Brazil”, adding that although it has been considered a “ransomware group”, it does not encrypt their victims’ systems. “The real motivation of the group is however not yet clear, even though it claims to be purely financial.”

UPDATE: After the publication, Okta issued an updated statement in which it said: “There was a five-day window of time between January 16 and January 21, 2022, where an attacker had access to the laptop of a support engineer. This is consistent with the screenshots we saw yesterday.

“The potential impact on Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers have access to limited data, e.g. Jira issues and user lists, which have been seen in screenshots. Support engineers are also able to facilitate password resets and [multi-factor authentication] factors for users, but are not able to obtain these passwords.

“We are actively continuing our investigation, including identifying and contacting customers who may have been affected.”

UPDATE 2: In a new statement, Okta said 2.5% of its customer base was affected by the breach. This would represent approximately 375 customers.

Source link