March 23, 2022
By Raphael Satter
WASHINGTON (Reuters) -Okta Inc, whose authentication services are used by companies including Fedex Corp and Moody’s Corp to provide access to their networks, said on Tuesday that it had been hit by hackers and that some customers may have been affected.
The scope of the breach is still unclear, but it could have major consequences because thousands of companies rely on San Francisco-based Okta to manage access to their networks and applications.
Chief Security Officer David Bradbury said in a blog post that a customer support engineer working for a third-party contractor had his computer accessed by the hackers for a five-day period in mid-January and that “the potential impact to Okta customers is limited to the access that support engineers have.”
“There are no corrective actions that need to be taken by our customers,” he said.
Nevertheless, Bradbury acknowledged that support engineers were able to help reset passwords and that some customers “may have been impacted.” He said the company was in the process of identifying and contacting them.
The nature of that impact wasn’t clear and Okta did not immediately respond to an email asking how many organizations were potentially affected or how that squared with Okta’s advice that customers did not need to take corrective action.
The company’s shares were down 1.3% at $167.14 in late afternoon trading, off earlier lows.
On its website, Okta describes itself as the “identity provider for the internet” and says it has more than 15,000 customers on its platform.
It competes with the likes of Microsoft Corp, PingID, Duo, SecureAuth and IBM to provide identity services such as single sign-on and multifactor authentication used to help users securely access online applications and websites.
‘BE VERY VIGILANT’
Okta’s statement follows the posting of a series of screenshots of Okta’s internal communications by a group of ransom-seeking hackers known as Lapsus$ on their Telegram channel late on Monday.
In an accompanying message, the group said its focus was “ONLY on Okta customers.”
Lapsus$ responded to Okta’s statement on Tuesday by saying the company was trying to minimize the importance of the breach.
Some outside observers weren’t impressed with Okta’s explanation either.
“In my opinion, it looks like they’re trying to downplay the attack as much as possible, going as far as directly contradicting themselves in their own statements,” said Bill Demirkapi, an independent security researcher.
Dan Tentler, the founder of cybersecurity consultancy Phobos Group, earlier told Reuters that Okta customers should “be very vigilant right now.”
There were already signs that Okta customers were taking action to revisit their security.
Web infrastructure company Cloudflare issued a detailed explanation https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise of how it reacted to the Okta breach and saying the company did not believe it had been compromised as a result.
FedEx said in a statement that it too was investigating and “we currently have no indication that our environment has been accessed or compromised.” Moody’s did not return a message seeking comment.
Lapsus$ is a relatively new entrant to the crowded ransomware market but has already made waves with high-profile hacks and attention-seeking behavior.
The group compromised the websites of Portuguese media conglomerate Impresa earlier this year, tweeting the phrase “Lapsus$ is now the new president of Portugal” from one newspaper’s Twitter accounts. The Impresa-owned media outlets described the hack as an assault on press freedom.
Last month, the group leaked proprietary information about U.S. chipmaker Nvidia Corp to the Web.
More recently the group has purported to have leaked source code from several big tech firms, including Microsoft. In a blog post https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction published Tuesday and devoted to Lapsus$, the software firm confirmed that one of its accounts had been compromised, “gaining limited access.”
The hackers did not respond to a message left on their Telegram group chat seeking comment.
(Reporting by Raphael Satter in WashingtonAdditional reporting by James Pearson in LondonEditing by Jonathan Oatis and Stephen Coates)