Okta Hack: Digital Identity Manager with Access to 100 Million Logins Experiences Breach

Okta Data Breach

Okta, the digital identity and access management company, admitted on Tuesday that it had experienced a data breach by the hacking group Lapsus$. Okta, which has a market cap of $25 billion, reported in 2019 that it had over 100 million registered users. The disclosure came in the wake of Lapsus$ posting screenshots on its Telegram channel claiming to have access to Okta’s internal systems.

The hack, which is the latest in a string of cybercrimes that have occurred this year, underlines the importance of cybersecurity in today’s digital landscape. Fortunately, users and administrators can take action to help protect their data.

The Okta Hack Background

Okta is a supergiant in the tech industry when it comes to managing login systems. They compete with Microsoft, PingID, and IBM to provide login identity services like single sign-on and multi-factor authentication. Okta’s login services are used by FedEx, Moody’s, the FCC, Peloton, and T-Mobile. Many people are already questioning cloud security, making the attack particularly alarming for a company charged with protecting data.

Lapsus$, the hacking group claiming responsibility, was also implicated in several high-profile hacks that affected Nvidia, Samsung, Microsoft, and Ubisoft. In their Telegram channel, Lapsus$ claimed to have acquired Superuser/Admin access to Okta’s system for two months and posted screenshots revealing Okta’s internal systems. Among the screenshots were Okta’s Slack channels and Cloudflare interface. Lapsus$ also claimed that Okta stored Amazon Web Service (AWS) keys in Slack channels.

Despite the claims made by Lapsus$, Okta downplayed the incident stating that there was a short five-day period where an attacker would have had limited access. Okta’s chief security officer David Bradbury was quoted saying, “The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users or download customer databases.” According to Okta, the breach was limited to a support engineer’s laptop, and there was no risk to customers’ data.

However, Bradbury also stated that support engineers were able to reset passwords and that it was possible customers were impacted with the company working to identify and contact people affected by the breach.

Conflicting Reports and Criticisms

Understanding what happened is also difficult given the conflicting reports from Lapsus$ and Okta. Lapsus$ claims the attack occurred via a thin client, and Okta states it was a laptop. Either way, the hack underlines the importance of device security and stringent data privacy policies. 

Critics of the breach seemed less concerned with the breach itself and more worried about the lack of communication by Okta. Since the initial hack would have taken place in January, the announcement being delayed until Tuesday, March 22nd seems a little late. Additionally, the insistence of Okta to downplay the event and seemingly inconsistent statements also fueled community anger. Okta’s slow response may remind security experts of CafePress’ alleged failures to remedy data breaches in 2019.

Even Lapsus$, the group responsible, mocked Okta in their Telegram. “For a service that powers authentication systems to many of the largest corporations… I think these security measures are pretty poor.” Some of Okta’s customers included those that provide services to the U.S. government with the FedRAMP certification. FedRAMP is used by federal agencies to give software approval after security checks are performed.

How IT Admins and Users Can Respond

IT managers and others took to Twitter to discuss the incident. Some were lamenting that security tokens had most likely been intercepted. Others speculated that admins were probably rotating security credentials to prevent their systems from becoming compromised. As cyberattacks seem to pile up daily, the Okta hack demonstrates the importance of monitoring your networks with software.

Specialized software, like Perimeter 81, can make identifying abnormal network traffic a breeze. Keeping track of how your network and services are accessed is just one way to prevent this type of attack from happening to you and your company. Remember to stay educated and consider creating a cybersecurity checklist.

Zero trust network access is also becoming more common. Okta itself was a provider of multi-factor authentication services, which is one reason why the hack is so shocking. MFA makes it impossible for hackers to break into your accounts with just a password – they also need access to a special security code. If you haven’t already, enable multi-factor authentication on your services where it’s available. If you’re using services that don’t support MFA or 2FA, consider dumping them for one that does.

Ensure your devices are protected and that users are accessing them securely. The Okta attack could have been entirely avoided had the right systems been in place. For example, requiring re-authentication when a device is accessed from new geolocation or IP can be a simple way to prevent bad actors from breaching your systems and services. Similarly, encrypting access traffic and using VPNs can stop data from being intercepted.

Finally, the simplest measure that can be taken is to change passwords frequently. Even if hackers managed to score data from Okta, they wouldn’t be able to gain access to affected users if those users acted swiftly and changed their passwords.

Wrapping Up

In the end, the complete fallout from the Okta hack may not be seen for months. Okta customers should exercise extreme vigilance and leverage these cybersecurity safety practices. Unfortunately, this is probably not the last time we will hear from Lapsus$.