According to Okta, a quick inquiry into the posting of screenshots that appeared to depict a data breach discovered they are linked to a "contained" security incident that occurred in January 2022.
After the LAPSUS$ hacking group shared screenshots on Telegram which it claimed were taken after gaining access to "Okta.com Superuser/Admin and several other systems," Okta, an enterprise identity, and access management business, initiated an investigation.
Lapsus$ is a hacking gang that has risen through the ranks by supposedly breaking into the networks of high-profile companies one by one to collect information and threaten to disclose it online until blackmail payments are made.
Sitel, Okta's third-party provider of customer support services, was hacked by the Lapsus$ data extortion gang. "The Okta Security team was notified on January 20, 2022, a new factor had been added to a Sitel customer service engineer's Okta account. It was a password which served as this factor" Okta explains.
"Though this individual approach was unsuccessful, it reset the account and contacted Sitel," says the company, which then hired a top forensic agency to conduct an investigation.
Okta is a publicly-traded corporation based in San Francisco with thousands of users, including several technology companies. FedEx, Moody's, T-Mobile, JetBlue, and ITV are among the company's top clients.
"Lapsus$ is infamous for extortion, threatening victims with the publication of sensitive information if demands are not met," said Ekram Ahmed, a Check Point spokesperson. "The gang boasts of infiltrating Nvidia, Samsung, and Ubisoft, among others." The public has never fully understood how the gang was able to penetrate these targets.
Okta claims it was unaware of the scope of the event in January, believing it to be restricted to a failed account takeover attempt aimed at a Sitel support engineer. Sitel's hiring of a forensics firm to investigate the incident and prepare a report also assured Okta at the moment the situation didn't need to be escalated any further.
The stock price of Okta dropped about 20% in less than a week after the company's clumsy announcement of the January hacking event.
At first, Okta CEO Todd McKinnon described the event as an "attempt" by malicious attackers to hack a support engineer's account. However, it was eventually discovered the problem had affected 2.5 percent of Okta's clients (366 in total). Sitel's support engineers have restricted access to Jira requests and support systems, but they are not allowed to download, create, or delete client records.
According to Okta, the screenshots posted by the Lapsus$ group were taken from a compromised Sitel engineer's account with limited access. Regardless, the corporation voiced dissatisfaction with the amount of time it took for the investigation's findings to be released.
