Identity and access management provider Okta on Tuesday said it
concluded its probe into the breach[1]
of a third-party vendor in late January 2022 by the LAPSUS$
extortionist gang.
Stating that the “impact of the incident was significantly less
than the maximum potential impact” the company had previously
shared last month, Okta said[2]
the intrusion impacted only two customer tenants, down from 366 as
was initially assumed.
The security event[3]
took place on January 21 when the LAPSUS$ hacking group gained
unauthorized remote access to a workstation belonging to a Sitel
support engineer. But it only became public knowledge nearly two
months later when the adversary posted[4]
screenshots of Okta’s internal systems on their Telegram
channel.
In addition to accessing two active customer tenants within the
SuperUser application — used to perform basic management functions
— the hacker group is said to have viewed limited additional
information in other applications like Slack and Jira,
corroborating prior reports.
“Control lasted for 25 consecutive minutes on January 21, 2022,”
David Bradbury, Okta’s chief security officer, said. “The threat
actor was unable to successfully perform any configuration changes,
MFA or password resets, or customer support ‘impersonation’
events.”
“The threat actor was unable to authenticate directly to any
Okta accounts,” Bradbury added.
Okta, which has faced criticism for its delayed disclosure and
its handling of the incident, said it has terminated its
relationship with Sitel and that it’s making changes to its
customer support tool to “restrictively limit what information a
technical support engineer can view.”
References
Read more https://thehackernews.com/2022/04/okta-says-security-breach-by-lapsus.html