This article is more than 1 year old

Authentication oufit Okta investigating Lapsus$ breach report

Cloudflare takes no chances, hits the identity reset button

Updated The Lapsus$ extortion crew has turned its attention to identity platform Okta and published screenshots purportedly showing the group gaining access to the company's internals.

The incident follows the group's claim over the weekend that it had made off with chunks of Microsoft's code. However, a compromise at Okta could be altogether more serious since the company's services are used by many others to manage network and application access as well as user identities.

At first glance, it appears that the group gained access to a "superuser" account as well as other internal tools. Okta has yet to confirm this is the case.

Also concerning is the fact that the screenshots appear to come from January 2022, which could mean there has been access for a while. It could also be that some sort of compromise occurred briefly, and the hackers have chosen now to show off their prowess. Okta CEO Todd McKinnon reckoned it was the latter. We're told any intrusion would have been temporary, and limited to a sub-contractor.

Either way, if a breach occurred, the implications are grave. Oliver Pinson-Roxburgh, CEO of security outfit Bulletproof, warned: "As the gatekeeper to the networks and data of thousands of organizations, a breach at Okta would have significant consequences."

"Even before the veracity of such an incident is confirmed," he went on, "it is imperative for businesses to take proactive steps now – any delay risks the potential attack spreading."

Oz Alashe, CEO of CybSafe and chair of the UK government's DCMS Industry Expert Advisory Group on Cyber Resilience, said: "The potential attack on Okta is a striking reminder of the supply chain's cyber risks. Cybercriminals will often identify the route of least resistance. An authentication tool such as Okta provides the opportunity to breach hundreds of large enterprises in one sweep."

However, Alashe cautioned: "While Okta's investigation is ongoing, it's important the security community doesn't jump to conclusions and harass its security team at this challenging time."

That said, some companies were taking no chances. Cloudflare, which uses Okta as an identity provider, announced it would be resetting the Okta credentials of employees. Just in case.

The Register contacted Okta for comment, but the company only repeated the tweeted comments of McKinnon.

While the investigation continues, lets take a moment to review Okta's recent emissions from its social media orifice. We fervently hope that this one won't end up in the "aged badly" bucket. ®

Updated to add on March 23 at 0225 UTC

Rather than it be totally nothing to worry about, Okta now says, after investigating Lapsus$'s claims of an intrusion, "we have concluded that a small percentage of customers – approximately 2.5 percent – have potentially been impacted and whose data may have been viewed or acted upon."

We've covered the new announcement, and news that Microsoft has admitted Lapsus$ accessed its source code, in a new story you can find here.

More about


Send us news

Other stories you might like