Lapsus$ hacking group hit authentication vendor Okta

Authentication provider Okta is the latest company to fall victim to the high-profile Lapsus$ hacking operation.

The vendor confirmed on Tuesday that at least one of its corporate accounts had been hacked by the suspected South American hacking group, though exact details of the attack and the affected data remain unclear.

According to Okta, the Lapsus$ crew was able to socially engineer a single end-user account for a customer service agent at a third-party provider. The vendor says there was no internal breach of its network.

"The Okta service has not been breached and remains fully operational," Okta said in a statement issued by chief security officer David Bradbury.

"There are no corrective actions that need to be taken by our customers."

UPDATE MARCH 22: Bradbury posted an update to his statement Tuesday evening. "After a thorough analysis of these claims, we have concluded that a small percentage of customers -- approximately 2.5% -- have potentially been impacted and whose data may have been viewed or acted upon," he said. "We have identified those customers and are contacting them directly."

It's unclear how the Lapsus$ hackers may have acted upon the customer data, but Bradbury reiterated that the Okta authentication service was fully operational and "there are no corrective actions our customers need to take."

According to Bradbury's original statement, the hijacked account had no ability to create or delete accounts and had "limited data" access to things like Jira tickets and screenshots.

Okta said the account was under the control of the attackers from Jan. 16-21.

"We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted," Bradbury noted.

"There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers."

While word broke on Monday about a potential Lapsus$ breach, the company issued a brief statement as it investigated the matter. In the meantime, details emerged from Lapsus$ on what data and access the group believed it had obtained from the authentication vendor.

Even after Okta released its statement on the report, the two groups remain at odds over the extent to which the company's network was accessed and just how much customer information the Lapsus$ hackers are able to access.

According to the crew's response to Okta, the vendor is downplaying the severity of its breach. Most notably, the hackers claim that the "customer service" account they were able to steal was also able to re-set the credentials of around 95% of Okta's customer passwords.

Okta's partner companies, such as Cloudflare, found the incident severe enough to launch their own internal investigations into the matter and detail how it would affect their own services and customers. "We have investigated this compromise carefully and do not believe we have been compromised as a result," Cloudflare said, adding that Okta credentials were reset for all accounts that changed passwords in the past four months.

While it's possible hackers obtained more access and information than Okta has disclosed thus far, Lapsus$ also has a history of embellishing the extent of its own conquests. A supposedly major breach by the group against graphics card giant Nvidia revealed little in the way of sensitive information, though there were rogue security certificates that was used to spread malware.

Earlier this week, Lapsus$ posted screenshots indicating the group had accessed internal software repositories at Microsoft. The group published data Monday evening that allegedly contained Microsoft source code, though the authenticity has not been verified. A Microsoft spokesperson told SearchSecurity the software giant is aware of the claims and is investigating.