Okta Breached By Lapsus$, Exposing Customer Data, Group Claims

‘For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor,’ extortion gang Lapsus$ boasted on Telegram.

ARTICLE TITLE HERE

Ransomware gang Lapsus$ strikes again, posting screenshots to its Telegram channel Tuesday of what it alleges is data from customers of identity security giant Okta.

Lapsus$ claims it acquired “superuser/admin” access to Okta.com and used that to access Okta’s customer data, according to screenshots posted by BleepingComputer. Lapsus$ said its focus was only on Okta customers, with the data extortion operator claiming that it didn’t access or steal any databases from the San Francisco-based identity and access management titan itself.

“For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor,” Lapsus$ boasted on Telegram, according to screenshots.

id
unit-1659132512259
type
Sponsored post

[Related: Microsoft Azure DevOps Targeted By Hacker Group: Reports]

Okta co-founder and CEO Todd McKinnon said the screenshots shared by Lapsus$ are believed to be connected to an incident from late January, with no evidence on ongoing malicious activity beyond what happened then. The company’s stock was down $14.42 (8.51 percent) to $154.99 per share in pre-market trading Tuesday, which is the lowest Okta’s stock has traded since March 15.

“In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors,” McKinnon wrote on Twitter at 4:23 a.m. ET Tuesday. “The matter was investigated and contained by the subprocessor.”

Okta didn’t immediately respond to a request for additional comment from CRN. Screenshots shared by Lapsus$ show the system date set to Jan. 21st, 2022, indicating the hack may have occurred months ago, according to BleepingComputer.

Images posted to the Lapsus$ Telegram account appear to show Okta’s internal tickets and its in-house chat on the Slack messaging app, Reuters reported. Independent security researcher Bill Demirkapi told the news agency that he believes the screenshots are credible.

Okta is the world’s largest pure-play identity security provider, with sales in the fiscal year ended Jan. 31, 2022, surging to $1.3 billion, up 56 percent from $835.4 million a year earlier. The company’s net loss in fiscal 2022 deepened to $848.4 million, 219 percent worse than the $266.3 million net loss Okta recorded the year prior due primarily to company’s $6.5 billion acquisition of Auth0 in May 2021.

Two days before boasting about hitting Okta, Lapsus$ posted on Telegram saying it had breached internal source code repositories for Microsoft Azure DevOps. The ransomware operator shared images on Telegram showing access to Bing- and Cortana-related projects. Shortly after publication, Lapsus$ removed the post and published the message “Deleted for now will repost later.”

Earlier this month, Lapsus$ said it stole Samsung’s source code and biometric unlocking algorithms for its Galaxy devices, compromising sensitive hardware controls. The breach involved 190 gigabytes of Samsung data, and included leaked source code for trusted applets, algorithms for biometric unlock operations, bootloader source code for all recent Samsung devices and authentication codes, Lapsus$ said.

In late February, Nvidia allegedly launched a retaliatory strike against Lapsus$ to prevent the release of the chipmaker’s stolen data, the ransomware group claimed. Nvidia said the threat actors obtained the company’s network credentials and through deception, obtained two-factor authentication capability and access to Nvidia’s network. The actors then leaked some proprietary Nvidia information online.