Okta apologizes for waiting two months to notify customers of Lapsus$ breach
In a lengthy FAQ released late on Friday, Okta said it “made a mistake” in how it handled a recent hack involving hundreds of its customers.
The access management company has faced a wave of backlash and criticism after initially downplaying the January attack on third-party provider Sitel before admitting that 366 customers were impacted by the breach.
Some have questioned whether Okta would have ever notified customers if extortion group Lapsus$ had not begun bragging about the incident on Telegram last week.
Okta chief security officer David Bradbury publicly apologized for the incident last Wednesday but the company released a more detailed response to complaints about the months between when the attack occurred and when the public was notified.
“We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible. In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate,” Okta said in the FAQ that was released on Friday.
“At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel. In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”
The Okta Security team was alerted that a new factor was added to a Sitel customer support engineer’s Okta account on January 20 and notified the company that day.
But the company and Sitel did not release any public notice or confirmation of the breach until reporters began questioning them after members of Lapsus$ released screenshots of Okta’s system on March 21.
Okta claims it only received a summary of the incident report from Sitel on March 17 and a copy of the full report on March 22.
Okta reiterated that outside of the unnamed 366 customers who they have contacted, no other customers are at risk or need to change their passwords.
“We are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers. We are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases,” Okta said.
“Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to choose those passwords. In order to take advantage of this access, an attacker would independently need to gain access to a compromised email account for the target user.”
The City of London Police told Hacker News last week that seven people connected to Lapsus$ were arrested and then released as the investigation into the attacks on Okta – as well as Microsoft, Nvidia and others – continues.