A cybercrime group known as Lapsus$ claimed on Monday evening that it compromised Okta, an authentication company used by thousands of organizations across the globe.
In a post on Telegram, screenshots were shared that appeared to indicate that the group has had access to the company’s internal systems since at least January. Lapsus$ stated that its focus was not on Okta itself but the company’s many prominent customers.
“BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA – our focus was ONLY on okta customers,” the hackers wrote.
Among Okta’s more than 15,000 customers are major companies such as FedEx and T-Mobile as well as government agencies such as the FCC. Okta allows users to securely access multiple services without needing multiple passwords to do so.
Lapsus$ first emerged in December and since hacked numerous high-profile targets including Nvidia, Samsung, and Ubisoft. Just hours before announcing the Okta breach, Lapsus$ released what it claimed to be data from Microsoft and LG.
In a statement to Reuters, Okta official Chris Hollis admitted that the company had dealt with a security incident back in January but that it had ultimately been “contained.”
“We believe the screenshots shared online are connected to this January event,” Hollis said. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
But experts, who say the screenshots appear to be legitimate, are concerned that the incident could have been more damaging than claimed. Okta failed to answer questions over why users weren’t informed about the January security incident as well.
If the claims are true that Lapsus$ was able to take control of an administrator account at Okta, the hackers could potentially infiltrate its customers’ systems. As noted by WIRED, the alleged breach of Okta could also help explain how a relatively obscure hacking group was able to compromise so many big-name companies.
While the breach could be devastating for Okta’s customers, experts caution that much is still unknown about the situation. At least one of Okta’s clients, the internet infrastructure company Cloudflare, stated that it was not compromised thanks to multiple layers of security but added that it could be looking into an alternative to Okta given that the business “may have an issue.”
The severity of the incident will likely become more clear in the coming days and weeks.
Update 2:17pm CT: In a follow-up statement later on Tuesday, Okta alleged that the company had not actually been breached but that a third-party contractor’s laptop had been targeted by Lapsus$.
“The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases,” Okta CSO David Bradbury said. “Support engineers do have access to limited data—for example, Jira tickets and lists of users—that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication (MFA) factors for users, but are unable to obtain those passwords.”
In response to the denials, Lapsus$ accused Okta of massively downplaying the incident in a post on Telegram.
“The potential impact to Okta customers is NOT limited,” the group wrote. “I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients’ systems.”