Lapsus$ hackers may have entered Okta via password spreadsheet

The Lapsus$ hackers who hacked into security company Okta earlier this month previously found a spreadsheet with passwords at a subcontractor of the company. Through that company, Sykes, the hackers may have managed to get into the Okta systems.

The attackers who previously penetrated Okta may have used passwords they found at Sykes, writes Techcrunch based on documents surrounding the hack. Those documents provide more details about how the attackers hacked into customer service company Sykes and got into Okta from there. Okta outsourced customer service tasks to Sykes. According to the documents, the Lapsus$ hackers penetrated there on January 21. This happened via a VPN that Sykes used on an old network of parent company Sitel Group.

The hackers then moved through Sykes’ network using remote access services and publicly available hacking tools. This would also have penetrated the Azure environment. The hackers had access to Sykes’ systems for five days. Then Sykes reset all passwords on the network.

While searching Sykes’ network, the hackers found a file called DomAdmins-LastPass.xlsx. That would possibly be an export of a LastPass account, according to Techcrunch. Five hours after the find, the attackers managed to enter Okta’s networks. The hackers also created a backdoor by creating a new user on Sykes parent company Sitel’s network, in case they were locked out. While the documents don’t specifically state whether the passwords in the spreadsheet were used to get into Okta, that does match the timeline of the hack.

Okta has now a faq apologized for the slow response to the leak. “We made a mistake. Sitel is our service provider for which we are ultimately responsible,” the company writes. Okta had known about a possible break-in at Sitel for some time, but didn’t come out with it. The company now says it thought there would be little risk to customers.