Security Advisory: Authentication Firm Okta Data Breach | Loop Secure
Loop is closely monitoring emerging details of a breach involving Okta in January 2022. Loop’s understanding of the current situation is as follows.
On Tuesday, 22nd of March 2022, data extortion group “LAPSUS$” posted screenshots in their Telegram channel and claimed they breached Okta in January 2022, gaining access to a support engineer’s account. LAPSUS$ stated that the purpose of this breach was to allow them to target Okta’s customers via this breach rather than targeting Okta itself. LAPSUS$ has previously claimed responsibility for breaches of Microsoft, Nvidia, Samsung and LG Electronics.
Okta’s Chief Security Officer, David Bradbury, has responded publicly via Okta's blog post, and has stated the following: “The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.”. Okta estimates that approximately 2.5% of their customers have potentially been impacted and their data may have been viewed or acted upon. Okta has identified those customers and is contacting them directly.
Bradbury claims that a threat actor had access to a support engineer’s laptop between 16-21 January and that during this time the potential impact to Okta customers would have been limited to the access of that engineer
“The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”
If this threat actor was able to reset MFA, that would potentially leave Okta’s customers vulnerable to a credential stuffing attack, whereby the threat actor could reset the user’s MFA to bypass being prompted for it and only need a username and password, leaving weak passwords highly vulnerable.
In response to this breach, Loop has increased threat hunting activities, as appropriate, for our Managed Detection & Response clients.
We will continue to update this blog if new information emerges.