Authentication giant Okta has been breached by customer support


Image: NurPhoto/Contributor

Piracy. Disinformation. Monitoring. CYBER is Motherboard’s podcast and reports on the dark underbelly of the internet.

Cybersecurity giant Okta, which provides authentication services for private and government customers and manages how hundreds of millions of users are able to connect securely to their employer’s networks, he himself has been targeted by a hacking group focused on extortion.

In a statement, Okta said the breach was brief and took place in January. But the method the hackers used to access it further highlights a weakness of the giant companies: The hackers targeted a third-party customer service employee.

“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our contractors,” Okta told Motherboard in a statement. “The matter has been studied and brought under control by the subcontractor.”

Do you work at Okta? Do you know anything about this violation or others? We would love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox or by email [email protected].

The statement pointed to screenshots of apparent internal Okta systems posted on the hacking group’s Telegram channel calling itself LAPSUS$ on Monday. Screenshots showed a person logged into Okta systems with the list of different apps they could then access from that location, and a Slack that appears to belong to Okta. Some of the screenshots also showed someone resetting a password belonging to a specific employee of cybersecurity company Cloudflare, and another also appeared to show access to a panel associated with the company. These images suggest that hackers were potentially trying to leverage their access to Okta to gain access to assets of Cloudflare, which provides infrastructure and security services to millions of websites.

Theoretically, if a hacker had access to Okta’s internal systems, they might be able to somehow exploit that access and then target Okta’s customers. Okta, however, said in its statement that “based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

“For a service that powers the authentication systems of most major companies (and endorsed by FEDRAMP), I think these security measures are pretty poor,” LAPSUS$ wrote in a Telegram post with screenshots. screen, referring to Okta.

Okta added in its statement that “we believe the screenshots shared online are related to this January event.”

Cloudflare responded to the potential targeting of its organization through access to Okta. Matthew Prince, CEO of Cloudflare, tweeted that his company is resetting the Okta credentials of all employees who have changed their passwords in the past four months out of an abundance of caution.

“We have not confirmed any compromise. Okta is a layer of security,” Tweet from Prince added. He even suggested that Cloudflare might hire another authentication provider because of the compromise. “Since they may have an issue, we are evaluating alternatives for this diaper,” he wrote.

Companies use Okta as a “single sign-on” (SSO) solution. This means that instead of workers having to remember and manage passwords for a variety of services used by their employer, such as cloud storage, email, note taking, filing expenses, all connections are managed by Okta and a single password. The idea is to make authentication much easier and more streamlined that whoever is using a particular online account is the right person. Without it, workers can recycle passwords potentially exposing different services to hackers, and if a company uses Okta, they can get more useful information when or if an account is also compromised.

Notably, Okta’s description of the hack is somewhat similar to another breach LAPSUS$ appears to be related to: gaming giant Electronic Arts’ June compromise. As Motherboard revealed, the hackers in this case bought a login token for EA’s Slack instance from an underground market and then once inside, trapped an EA IT support account to provide them with the two-factor authentication token needed to access other parts of EA’s corporate environment. (The marketplace was Genesis Marketplace, which, by the way, also sells stolen Okta login tokensone of the hackers previously told Motherboard).

Customer support employees are sometimes a target for hackers. As Motherboard previously reported, a a hacker bribed a customer service representative on the Roblox gaming platform to then access individual player accounts.

LAPSUS$ is an increasingly daring hacking group that has targeted a host of companies over the past few months, including Nvidia and Samsung. LAPSUS$ typically breaks into a target’s network, steals sensitive data, and then attempts to extort the victim company. The group also repeatedly dumped data it said came from the victims’ networks.

Monday, Motherboard reported that Microsoft is investigating a claim from LAPSUS$ that he violated society. LAPSUS$ has since posted data on its Telegram channel that it claims came from the company. Microsoft did not immediately respond to a request for an updated statement regarding the data dump.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

Joseph P. Harris