OKTA disclosed a potential breach after the extortion group Lapsus$ shared screenshots of Okta’s internal environment in their Telegram channel. The group claims to have accessed Okta’s customer data, stating that they did not access/steal any databases from Okta themselves – only from their customers. Clocks in some of the screenshots show the date January 2022, indicating that this activity likely occurred back in January.
Okta CEO Todd McKinnon confirmed they detected the compromise of an account for a third party customer support engineer working for one of Okta’s subprocessors in January. He stated that while they believe the screenshots are connected to the January event, that breach was investigated and contained. Although Okta is continuing to investigate further given the release of the screenshots, at this time they claim there is no evidence of ongoing malicious activity.
Lapsus$ has been involved in a string of breaches in which they claimed to have stolen data from a number of organizations including NVIDIA, Microsoft, Samsung, and LG. Extortion groups focus on stealing proprietary data which they threaten to publish if their demands are not met. Despite speculation, there is no evidence that confirms the compromise of Okta in late January was used to gain access to these victims.
There is little info on TTPs used by the group for initial access in past breaches. Although unconfirmed sources have indicated the group has used phishing and exposed RDP connections, there is some evidence that the group has leveraged malicious insiders for initial access. Earlier this month, the group posted on their Telegram channel that they were looking to recruit employees at telecommunications firms, large software or gaming companies, or data hosts. They stated they are looking specifically for employees that can provide VPN or Citrix access to the network.