Okta says it is contacting customers who may be affected. But on Tuesday, companies, including internet infrastructure company Cloudflare, asked why they learned about the incident from tweets and criminal screenshots rather than from Okta itself. However, the identity management company seems to claim that compromising a third-party partner in any way is not a direct breach.
“In Okta’s statement, they said they had not been breached and that the attacker’s attempts had failed, yet they openly admit that attackers had access to customer data,” said independent security researcher Bill Demirkapi. “If Okta knew since January that an attacker may have had access to confidential customer data, why have they never informed any of their customers?”
In practice, breaches of third-party service providers are an established path of attack to ultimately compromise a primary target, and Okta itself seems to be carefully limiting its circle of “sub-processors.” A list of these affiliates as of January 2021 shows 11 regional partners and 10 sub-processors. The latter group are well-known entities such as Amazon Web Services and Salesforce. The screenshots point to Sykes Enterprises, which has a team in Costa Rica, as a possible partner who may have hacked into an employee’s administrative Okta account.
Sykes, which is owned by business services outsourcing company Sitel Group, said in a statement, first reported by Forbes, that it had been breached in January.
“Following a security breach in January 2022 that affected parts of the Sykes network, we took swift action to contain the incident and protect potentially affected customers,” the company said in a statement. “As a result of the investigation, along with our ongoing assessment of external threats, we are confident that there is no longer a security risk.”
The Sykes statement went on to say that the company “is unable to comment on our relationship with specific brands or the nature of the services we provide to our customers.”
On his Telegram channel, Lapsus$ posted a detailed (and often complacent) rebuttal to Okta’s statement.
“The potential impact on Okta customers is NOT limited, I’m pretty sure passwords will be reset and [multifactor authentication] would result in a complete compromise of many client systems,” the group wrote. “If you are committed [sic] how about if you hire a company like Mandiant and PUBLISH their report?”
However, for many Okta customers struggling to understand their potential exposure to the incident, all of this does little to clarify the full scope of the situation.
“If an Okta support engineer can reset passwords and multi-factor authentication factors for users, it could pose a real risk to Okta customers,” said Red Canary’s McCammon. “Okta customers are trying to assess their risk and potential exposure, and the industry in general is looking at this through the lens of preparedness. If or when something like this happens with another identity provider, what should our expectations be regarding proactive reporting and how should our response evolve?”
This post Okta hack? Customers scramble as Okta tries to clear up the breach
was original published at “https://www.wired.com/story/okta-hack-customers-lapsus-breach”
