28 with 23 posters participating
A relatively new entrant to the ransomware scene has made two startling claims in recent days by posting images that appear to show proprietary data the group says it stole from Microsoft and Okta, a single sign-on provider with 15,000 customers.
The Lapsus$ group, which first appeared three months ago, said Monday evening on its Telegram channel that it gained privileged access to some of Okta’s proprietary data. The claim, if true, could be serious because Okta allows employees to use a single account to log in to multiple services belonging to their employer.
Gaining “Superuser” status
“BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA,” the Telegram post stated. “Our focus was ONLY on okta customers.”
Okta co-founder and CEO Todd McKinnon said on Twitter that the data appears to be linked to a hack that occurred two months ago. He explained:
In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.
In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor. (1 of 2)
— Todd McKinnon (@toddmckinnon) March 22, 2022
In a post published later, Okta Chief Security Officer David Bradbury said there had been no breach of his company’s service. The January compromise attempt referenced in McKinnon’s tweet was unsuccessful. Okta nonetheless retained a forensics firm to investigate and recently received its findings.
“The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop,” the Okta post said. “This is consistent with the screenshots that we became aware of yesterday.”
responded several hours later that Okta may have been compromised but, in any event, “Okta is merely an identity provider. Thankfully, we have multiple layers of security beyond Okta and would never consider them to be a standalone option.”
In a separate tweet, Prince said Cloudflare was resetting Okta credentials for employees who changed their passwords in the past four months. “We’ve confirmed no compromise,” he added. “Okta is one layer of security. Given they may have an issue, we’re evaluating alternatives for that layer.”
@Okta may have been compromised. There is no evidence that Cloudflare has been compromised. Okta is merely an identity provider for Cloudflare. Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.
— Matthew Prince 🌥 (@eastdakota) March 22, 2022