Okta hack: What to know

Hacking group Lapsus$ has claimed to have gained access to Okta's internal systems

Shares of Okta fell on Tuesday, as the broader market rallied, after hacking group Lapsus$ said it had gained access to the authentication firm's internal systems – a move the security company questioned. 

Ticker Security Last Change Change %
OKTA OKTA INC. 109.26 +0.77 +0.71%

Here is a FOX Business roundup of everything you need to know about the hack. 


Who is Lapsus$?

Lapsus$ is a group of hackers that appear to primarily focus on stealing sensitive data which they use to extort money from their victims. The group reportedly posted several screenshots on its Telegram channel late Monday, which it claimed were Okta's internal systems. According to Reuters, Lapsus$ said in an accompanying message that its focus was "ONLY on Okta customers." 

In addition to the Okta breach, Lapsus$ has previously claimed responsibility for a cybersecurity incident that stole Nvidia employee credentials and roughly 1 terabyte of company data

A representative for Microsoft told FOX Business on Tuesday that the company is investigating following reports that Lapsus$ had allegedly stolen and leaked source code for Bing, Cortana and other projects from the tech giant's internal Azure DevOps server. Other Lapsus$ victims have reportedly included Samsung, video game giant Ubisoft, Brazil's Ministry of Health, Portuguese media group Impresa and its weekly newspaper Expresso.

Ticker Security Last Change Change %
NVDA NVIDIA CORP. 852.37 +29.58 +3.60%
MSFT MICROSOFT CORP. 414.92 -0.58 -0.14%


Okta says service has not been breached

Okta chief security officer David Bradbury said in an updated statement on Tuesday that its service has not been breached and remains fully operational. Bradbury added that there are "no corrective actions that need to be taken by our customers." 

In January, Okta detected "an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider." The company previously stated that the matter was investigated and contained and that there is "no evidence of ongoing malicious activity beyond the activity detected in January."

"As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account," the company explained. "Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm."

According to Okta, the forensic firm's report found that there was a five-day window of time between Jan. 16 and 21 where an attacker had access to a support engineer’s laptop, consistent with the screenshots shared by Lapsus$. 

Okta says its service has not been breached and remains fully operational despite hacking group Lapsus$ claiming it gained access to the authentication firm's internal systems. (iStock / iStock)

Okta said the impact to its customers is limited due to the fact that support engineers are unable to create or delete users or download customer databases. However, they noted support engineers can access Jira tickets and lists of users that were seen in the Lapsus$ screenshots. Support engineers can also reset passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.

"We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers," Okta added. "We take our responsibility to protect and secure our customers' information very seriously. We are deeply committed to transparency and will communicate additional updates when available."

Lapsus$ responds to Okta

In a response to Okta's latest statement, Lapsus$ said it accessed a "thin client" rather than a laptop and that it was unsure how logging into a superuser portal with the ability to reset the password and MFA of roughly 95% of clients isn't successful. 

It also said that the potential impact to Okta clients is not limited, adding that it is "pretty certain resetting passwords and MFA would result in complete compromise of many client systems."

Lapsus$ added that Okta should prove its commitment to transparency by publishing the forensic firm's report.  


How many customers does Okta have?

As of Jan. 31, more than 15,000 customers across nearly every industry use the Okta Identity Cloud to secure and manage identities around the world, including more than 3,100 customers with an annual contract value greater than $100,000. 

Ticker Security Last Change Change %
GRUB n.a. n.a. n.a. n.a.
JBLU JETBLUE AIRWAYS CORP. 6.75 +0.28 +4.33%
SONO SONOS INC. 19.13 -0.10 -0.52%
TMUS T-MOBILE US INC. 163.34 -0.03 -0.02%

Okta's customers include universities, non-profits, government agencies, small organizations with fewer than 100 employees and companies in the Fortune 50 with up to hundreds of thousands of employees. Examples listed on its website include Lululemon, Grubhub, Jet Blue Airlines, Peloton, Sonos and T-Mobile.