Okta Faces a Crisis of Confidence

Okta (Nasdaq: OKTA), a leading provider of zero trust network access (ZTNA) and identity access management (IAM) services, has ended up in hot water after conceding that a January 2022 security breach that’s come to light this week may have affected hundreds of its customers.

In a statement updated late yesterday afternoon and reiterated in an online Zoom briefing with customers today, Okta’s chief security officer David Bradbury said Okta is directly contacting approximately 2.5% of its customers, a group Okta puts at 366, who could “have potentially been impacted and whose data may have been viewed or acted upon” during the January breach.

That Okta’s admission of that breach just came to light this week has put the company in a compromised position in the security world. Further, a drip-and-drab approach to releasing the details has outraged observers and customers worldwide – a list that Okta has claimed to number over 15,000, including Experian, the FCC, Fedex, MGM Resorts, Priceline, Nasdaq, JetBlue, T-Mobile, HPE, Moody’s, Fidelity National Financial, GrubHub, DISH Network, News Corp, HackerOne, Hertz, Hitachi, NTT Data, and many others.

Timeline of Trouble

The trouble started in January 2022, when, according to a statement from Bradbury, “Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider.” Apparently, the attempt was successful, however, because it resulted in “a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop.”

On March 21, the attacker in question, a shady hacker group called LAPSUS$ that has been acknowledged to have hacked source code from Microsoft (Nasdaq: MSFT), and reportedly also secrets from NVIDIA (Nasdaq: NVDA) and Samsung, posted screenshots on Telegram from what appeared to be confidential interfaces related to a superuser of Okta’s services.

At first, the screenshots looked like a fresh hack, but subsequent investigation revealed they’d originated back in January. Okta subsequently admitted there had been a breach, much to the chagrin of customers and security experts worldwide. Still, the firm downplayed the event, saying it had been resolved and no user accounts affected.

LAPSUS$ told a different story. The group said it not only had access to Okta customer information for five days, but it has enjoyed access ever since, as indicated in a recent Tweet:

Source: Twitter

LAPSUS$ also has revealed some embarrassing aspects of Okta’s technology, namely that it accessed the system via Remote Desktop Protocol (RDP), not the laptop itself, making the invasion potentially more insidious; and that it found that Okta was storing AWS keys in Slack channels, making them visible to qualified technicians.

Subsequent to these revelations, Okta has acknowledged that yes, perhaps some user accounts have been compromised. Still, Okta maintains that no actions need to be taken by exposed customers, since the laptop access was "highly constrained" by least-privilege rights granted to the user.

A Chain of Neglect

The engineer’s laptop invaded by LAPSUS$ belonged to a Costa Rica-based employee of Sykes, a customer support subcontracting firm that was purchased by marketing services giant Sitel Group for $2.2 billion in September 2021. Access to the laptop gave the hackers access to the customer accounts and the ability to change passwords for those accounts.

According to at least one report, the screenshots posted by LAPSUS$ indicate that access was given to Okta customers’ accounts for Atlassian Jira, Amazon Web Services, Google's Gmail, Salesforce, Splunk, and Zoom. There was also a screenshot of a Cloudflare (NYSE: NET) application, which prompted that company to conduct its own investigation and to post the results on its website and Twitter, including a mention of plans to explore alternatives to Okta:

Source: Twitter

Laying Blame

Observers strongly criticized Okta for failing to disclose the LAPSUS$ hack initially. But even worse is the implication that Okta failed to address the problem adequately. Instead, an updated blog from CSO Bradbury features an explanation that Okta left the bulk of incident reporting to Sitel, since the laptop compromised belonged to the subcontractor. Unfortunately, it looks like Sitel took its time getting to the bottom of things with yet another third-party forensic investigator, and its summary report wasn’t delivered to Okta until March 17, with the final report coming only this week.

In his blog and online, Bradbury blames Sitel in the main, though admitting that perhaps it would have been better to come clean publicly a bit earlier on:

“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”

Customers Must Wait and See

Ultimately, Okta hasn’t done itself any favors with its gradual admission that some of its customers may have been breached by a hack that went undisclosed for two months. The company’s wish to lay blame on a subcontractor isn’t pretty either.

Perhaps the worst of the incident are its unknowns. If LAPSUS$ really has been active in customer accounts, which the group says has been its intent all along, what is the extent of damage? And what does it say about a major vendor of identity protection that it not only failed to disclose a breach, but failed to address it effectively? We may not know until each customer contacted by Okta has completed its own investigation.