Okta revises original statement, says 366 customers affected by Lapsus$ breach
Updated 2:35pm EST with additional details from a live webinar hosted by Okta.
Okta chief security officer David Bradbury revealed on Wednesday morning that 366 customers were impacted by a recent breach caused by extortion group Lapsus$.
Bradbury also said the breach – which Okta previously attributed to a customer support engineer working for an unnamed third-party provider – was traced back to Sitel, a contact center company headquartered in Miami.
Bradbury hosted a live webinar where he laid out a timeline for the breach, explaining that in January someone attempted to enroll in MFA through Sitel.
The attacker allegedly gained access to the engineer’s device through a remote desktop protocol while the person was logged into Okta. From January 16 and January 21, 366 companies with Okta accounts were accessed through Sitel.
Okta eventually terminated the session and reset the account before informing Sitel of the incident. Sitel then hired a company to conduct an investigation into the incident after Okta shared some indicators of compromise. The investigation ran until March 10 and Sitel was provided with a detailed report on the incident, according to Bradbury.
Sitel sent Okta a summary of the report on March 17 and a full copy of the report on Tuesday.
"Upon reflection, once we received the Sitel summary report last week, we should have moved more swiftly to understand its implications," Bradbury said.
Okta released an updated statement on Tuesday night, announcing that 2.5% of the identity and access management firm’s customers were impacted by the breach. The company has more than 15,000 customers, including the US Justice Department.
Okta did not respond to requests for comment about which companies may be affected.
“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon,” Bradbury wrote on Tuesday.
“We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email.”
On Tuesday morning, the company claimed it had not been breached yet admitted that Okta was in the process of identifying and contacting customers that may have been impacted. They said there was “no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.”
Members of Lapsus$ took to Telegram immediately after the first statement was released, criticizing the company for its comments and airing several troubling – but unconfirmed – facts about Okta’s security practices.
After Okta released its updated statement, Lapsus$ members again took to Telegram to say they will be on vacation until March 30 and “will be quiet for some time.”
“Thanks for understand us. - we will try to leak stuff ASAP,” they said.
The extortion group – which experts believe is based somewhere in South America – also made waves this week for an attack on Microsoft. They leaked screenshots related to Bing and Cortana products.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.