Okta investigation: Hackers broke into only two customers
The Lapsus$ hackers who attacked security company Okta in January managed to get into only two customers. The attackers were in the company’s systems for 25 minutes and did not hit 366 customers as previously thought.
okta has completed the investigation to the hack that happened in January and came out in March. Hackers from the Lapsus$ group then broke through an intermediate supplier at a subcontractor of Okta, which builds single sign-on software. It was previously unknown how many customers were affected. Later Okta came up with the claim that there were a maximum of 366. That estimate was based on the number of times subcontractor employees had made a SuperUser access request to customers during the time frame when the hack occurred.
Okta has now finally completed the investigation into the hack. The main conclusions about the original infiltration remain. The hackers got in on one laptop belonging to a Sitel subcontractor, who provided customer service on behalf of Okta. The attack took place on January 25. Okta now says the hackers had access to customers’ systems for just 25 minutes in total.
In those 25 minutes, the attackers broke into two of those customers. It is not known who they are, but Okta has informed them. According to Okta, the hackers did not change any configurations in the customer systems and did not perform any password or multi-factor authentication resets.
Okta also says the attackers had access to Okta’s internal systems, including Slack and Jira. In doing so, the attackers would not have found any information with which they could invade the systems further. Okta has stopped working with the subcontractor and says it will take measures. The company wants to establish a new zero-trust policy, better communication with customers and better manage third-party tools.
The report is not public. Okta has only published the conclusions. A missing piece of information from the report is exactly how the attackers broke into the subcontractor. Techcrunch previously wrote that the hackers had found a spreadsheet with passwords, but the subcontractor later denied that.