Breach, Risk Assessments/Management, Vulnerability Management, Security Strategy, Plan, Budget, Threat Management

Okta, Lapsus$ offer dueling narratives on breach claim


Identity and access management company Okta confirmed Tuesday that an attempted compromise of a third-party engineer's account was detected in January. But an extortion group insists it breached the company and took issue with the leaderships' public statements with a rebuttal suggesting Okta hire a cybersecurity firm to investigate and issue a report.

As reported by SC Media, Lapsus$ posted screenshots on Monday to prove it breached the vendor. Todd McKinnon, Okta's CEO and co-founder, confirmed via Twitter that the company detected an attempt to compromise the account of a third party customer support engineer in January, saying they believe the screenshots are connected to that event and that the matter was contained.

Okta's chief security officer, David Bradbury, posted a statement to the company's blog on Tuesday morning stating their services were not breached and that it was fully operational. A third-party forensics firm investigated the January event, saying an attacker had access to the engineer's laptop over a five-day period. Bradbury's post said the impact to Okta customers was limited to the access that support engineers have.

"We take our responsibility to protect and secure our customers' information very seriously," Bradbury wrote. "We are deeply committed to transparency and will communicate additional updates when available."

Bradbury offered an updated statement Tuesday evening saying a small percentage of customers — approximately 2.5% — were potentially impacted by the January event.

Those statements apparently didn't sit well with the cybercrime group. Lapsus$ claims that the group, in fact, compromised a thin client laptop and was able to log in as a superuser with the ability to reset passwords and multi-factor authentication for about 95% of Okta's clients.

Lapsus$ concluded it's response by saying: "If you are commited [sic] to transparency how about you hire a firm such as Mandiant and PUBLISH their report? I'm sure it would be very different from your report :)"

Brett Callow, an expert on ransomware groups with Emsisoft, told SC Media that the cybercrime groups' claims should be scrutinized, but added that their claims seemed to have been accurate.

After Okta's Bradbury acknowledge about 2.5% of their clients were potentially impacted, Callow noted over Twitter that it would equate to about 375 of Okta's roughly 15,000 customers.

"How they've been impacted remains unclear," Callow tweeted.

Okta shares were down 17.88 points to $148.55 on Wednesday.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.