Hundreds of Okta customers may have been impacted in a cyber incident that saw hackers seize control of a computer used by a third-party contractor.
Screenshots purportedly of the digital authentication firm’s internal systems emerged online yesterday, with hacking group LAPSUS$ claiming responsibility.
Okta initially said the hack could be related to a previously undisclosed incident that took place in January, which it has now confirmed.
In a blog post on Wednesday afternoon, chief security officer David Bradbury said the screenshots originated from a device owned and managed by third-party provider, Sitel Group.
He said as many as 366 customers may have been impacted during a five-day period in which the threat actor had access to the Sitel device, but described the figure as a worst case scenario.
In arriving at that figure, Okta examined all Sitel access to an internal application called SuperUser, which is used to perform basic management functions on Okta tenants.
“Over the past 24 hours we have analysed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period,” Bradbury wrote.
“We have determined that the maximum potential impact is 366 (approximately 2.5 percent of) customers whose Okta tenant was accessed by Sitel."
Bradbury said the “attacker never gained access to the Okta service via account takeover”.
“A machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session,” Bradbury said.
Outsourced support engineer access is “limited to basic duties in handling inbound support queries”, meaning they cannot “download customer databases” or “access our source code repositories”, he said.
“Because of the access that the support engineers had, the information and the actions were constrained,” he added.
The backstory
Bradbury said that Sitel Group, through its acquisition of Sykes in September 2021, came to provide Okta with contractors to its customer support operations.
He said that Okta's security team was first "alerted that a new MFA factor had attempted to be added to a Sitel customer support engineer’s Okta account" on January 20 this year.
“Although that individual attempt [to add the new factor] was unsuccessful, out of an abundance of caution, we reset the account and notified Sitel who engaged a leading forensic firm to perform an investigation," he said.
The investigation ran from January 21 to March 10, with Okta receiving a summary report from Sitel on March 17.
A final report into the incident was only received by Okta after the screenshots were shared online by LAPSUS$.
Bradbury said he was “greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report”.
He also noted that Okta should have moved more swiftly to understand the implications of the incident when it received the summary report.
Despite this, Bradbury said he is “confident in our conclusions that the Okta service has not been breached” and that there was no need for customers to take any corrective actions.
“While it is not a necessary step for customers, we fully expect they may want to complete their own analysis,” he added.
Customers on the impacted tenant "will receive a report that shows the actions performed on their tenant by Sitel."
