Okta Says Lapsus$ Breach Smaller Than First Thought…. I’m Not Sure I Buy That

Remember when Okta got pwned by Lapsus$, and it looked like over 300 customers were affected by this breach? Okta says an investigation into the January Lapsus$ breach concluded the incident’s impact was significantly smaller than expected. As in it only affected TWO customers.

Really?

I’m getting ahead of myself. Let’s start with this Tweet from Okta’s Co-founder and CEO:

Inside this Tweet is a report done by Okta’s Chief Security Officer David Bradbury. It’s very much worth reading, but I will hit the highlights for you:

  • The attacker only accessed the two active customer tenants after gaining control of a single workstation used by an engineer working for Sitel, the third-party customer support services provider at the center of the incident.
  • The attacker only had access to anything for 25 minutes before being shut down.
  • The attacker didn’t do anything of significance during that 25 minutes.
  • Okta is going to ensure that its services providers comply with new security requirements, including adopting Zero Trust security architecture and authenticating via Okta’s IDAM solution for all workplace apps.
  • Okta’s relationship with Sitel has been terminated and Okta is now directly managing all third-party devices with access to its customer support tools.

I am not sure I am buying this. Here’s why. Their original rundown of this event went like this according to Okta at the time:

  • The hack actually took place in January.
  • The security breach stemmed from someone gaining access to the credentials of a support engineer employed by a sub-contractor, Sitel.
  • Those credentials were then used to access up to 366 client accounts.
  • The company managed to suspend the engineer’s account within 70 minutes of the hack being detected.
  • The subsequent forensic analysis took more than two months.
  • The company didn’t really grasp the implications of this hack until much, much later.

So if you look at this version of events and compare it to today’s version of events, it’s radically different. Thus I have to look at this and ask why is it radically different. I suspect that others watching this story will be asking similar questions. And I will be waiting to see how Okta explains that. If they can.

UPDATE: I got some commentary from Lucas Budman CEO of TruU:

It is great to hear that Okta’s customers were less affected than assumed, however, this breach was preventable. People assume that they are protected by multi-factor authentication (MFA), but the reality is that multi-factor authentication is not truly multi.  Passwords and second factor (2FA) technologies are easily compromised. It is time for the industry to move away from using weak forms of identification and towards truly passwordless MFA based authentication.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: