Okta chief security officer David Bradbury said in a post Tuesday that “the Okta service has not been breached and remains fully operational.”
“There are no corrective actions that need to be taken by our customers,” Bradbury said.
However, an attacker did access the account of a customer support engineer, who worked for a third-party provider, for five days in January, according to Bradbury. The third-party provider was not identified.
“There was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday,” Bradbury said.
Bradbury referred to screenshots posted on Telegram by hacker group Lapsus$, showing what the group said was “access to Okta.com Superuser/Admin and various other systems.”
The potential breach of a customer of the major identity and access management vendor raised questions about the extent and severity of the potential breach.
Security researcher Runa Sandvik said on Twitter that some may be “confused about Okta saying the ‘service has not been breached.’”
“The statement is purely a legal word soup,” Sandvik said. “Fact is that a third-party was breached; that breach affected Okta; failure to disclose it affected Okta’s customers.”
VentureBeat has reached out to Okta for comment.
In the post Tuesday, Bradbury said that the “potential impact to Okta customers is limited to the access that support engineers have.”
These engineers “are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots,” he said. “Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.”
Okta is “actively continuing our investigation, including identifying and contacting those customers that may have been impacted,” Bradbury said.
Okta’s stock price was down $5.49, or about 3.2%, as of mid-afternoon ET on Tuesday. An analyst at Truist, Joel Fishbein, reportedly called the claimed breach “concerning” amid cutting his rating on Okta.
Lapsus$ specified that it did not access Okta itself. “Our focus was ONLY on okta customers,” the group said in its Telegram post.
Lapsus$ is believed to operate in South America. Over the past month, vendors including Nvidia and Samsung Electronics confirmed the theft of data by the threat actor. On March 1, for instance, Nvidia said that “we are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online.”
Stolen Nvidia data reportedly included designs of graphics cards and source code for DLSS, an AI rendering system. Meanwhile, on Monday, Lapsus$ claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana. Microsoft said it is aware of the claims and is investigating them.
Experts have said that Lapsus$’ motives remain unclear, given the lack of financial demands in the past.