Okta should’ve ‘moved more swiftly’ to assess Lapsus$ breach, CSO says

Did you miss the session at the Data Summit? See on-demand here.

Although an investigation into the third-party Octa provider’s breach began on January 21, Octa did not receive a report of the incident until March 17, Octa Chief Security Officer David Bradbury said in a post Tuesday.

Okta also did not make the findings public at the time – after posting screenshots this week as evidence of a breach, the actor behind the breach threat, LePassus વિગતો shared details of the incident publicly. “We must move faster to understand [the report’s] Effects, ”Bradbury said.

Earlier Tuesday, Bradbury revealed that Lapsus $ had access to the account of a customer support engineer who worked for a third-party provider for five days in January.

In a post about the breach investigation, Bradbury identified the third-party provider as Sitel, which provides Octa with contract workers for customer support.


According to Bradbury, the investigation into the breach was conducted by a “leading forensic firm”. The firm has not been identified.

From January 21st to February 28th, the firm conducted its investigation, and its report was submitted to Sitel on March 10th, Bradbury said. Octa received a “summary report of the incident” from Seattle on March 17, he said.

“I am very disappointed with the long time between our notification to Seattle and the issuance of the full investigation report,” Bradbury said.

VentureBeat has reached out to Sitel for comment.

Furthermore, “on reflection, once we receive the Sitel summary report, we must proceed more quickly to understand its implications,” Bradbury said.

Bradbury said the “maximum potential impact” is that the breach could affect 366 customers (approximately 2.5% of Octa’s 15,000 customers).

The identity and access management vendor did not specify how customers would be affected.

“After a thorough analysis of these claims, we conclude that a small percentage of consumers – approximately 2.5% – are potentially affected and whose data has been viewed or acted upon,” Bradbury said in a separate post from the investigation. Who updated the company’s previous statement on the Lapsus 3 breach.

Lepsus $ Leak

The revelation by Okta came in response to a screenshot posted on the Telegram by Lapsus 2, showing what the threatening actor said was “Okta.com superuser / admin and access to various other systems”.

In an updated post Tuesday evening, Bradbury reiterated that “the Octa service is fully operational, and our customers do not need to take any corrective action.”

In an updated post, Bradbury said Octa has identified affected customers and has “already contacted them directly via email.”

“We take our responsibility to keep customer information safe and secure,” he said. “We apologize for the inconvenience and uncertainty.”

Bradbury added that “while this is not a necessary step for consumers, we fully expect them to want to complete their own analysis.”

Main customers

Customers announced by Okta in the past include JetBlue, Nordstrom, Siemens, Slack, Takeda, Teach for America, Twilio, GrubHub, Bain & Company, Fidelity National Financial, Hewlett Packard Enterprise, T-Mobile, Sonos and Moody’s. In 2017, Octa stated that the US Department of Justice is a customer.

In an original post earlier in the day on Tuesday, Bradbury admitted that “there was a five-day window between January 16-21, 2022, where the attacker had access to the support engineer’s laptop.”

“These are consistent with the screenshots we were aware of yesterday,” he said, referring to screenshots posted on the Telegram by Lepsus 2.

“The potential impact to Octa customers is limited to access to support engineers,” Bradbury said.

These engineers “are unable to create or delete users or download customer databases. Support engineers have limited access to data – for example, cumin tickets and a list of users – as seen in the screenshot, “he said.” Support engineers are also able to allow users to reset passwords and MFA factors, but also Is unable to. “

A series of attacks

In a telegram post on Tuesday, responding to Octa’s statement about the breach, Lepsus$ argued that “the potential impact on Octa customers is not limited.”

“I’m sure the password reset and MFA will result in a complete compromise with many client systems,” the group said. Lapsus 2 also claims that Okta “stores AWS keys in Slack.”

Lapsus માનવામાં is believed to be operating in South America. In the past month, Microsoft, Nvidia and Samsung Electronics have confirmed data theft by a threatening actor.

On Monday, Lapsus 7 claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana on Telegram.

In a blog post on Tuesday, Microsoft stated that Lapsus $ had gained “limited access” to Microsoft systems by tampering with an account. “Our cyber security response teams are working to quickly repair the compromised account and prevent further activity,” said Microsoft researchers.

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.