On 22 March 2022, identity and access management company Okta published a blog on a security incident affecting a third party provider. The company notified customers who may have been affected and informed them that no corrective actions are needed
On 22 March 2022, Okta announced that they were investigating claims of a data breach by an extortion threat group known as LAPSUS$. The threat actors shared screenshots, taken on 21 January 2022, showing access to an Okta account. Okta reported that the screenshots are related to a late-January security incident, where threat actors obtained remote access to a support engineer’s computer at Sitel, a third-party customer support provider.
Okta stated that the actors had access to SuperUser, an internal management application, for a period of five days. The application is used by Sitel support engineers to perform basic management functions on Okta tenants. The actors attempted to use the account of the Sitel engineer to add a new Multi-factor Authentication (MFA) factor to his Okta account, but did not succeed.
According to the statement from Okta, SuperUser accounts are unable to perform high-privileged functions such as:
- to create or delete users
- to download customer databases
- to access Okta source code repositories
Based on the information available on 23 March 2022, Okta reported that “there is no evidence of ongoing malicious activity beyond the activity detected in January”, and no impact to Auth0, HIPAA, or FedRAMP customers. Okta is continuing its investigation, including identifying and contacting those customers that may have been impacted. Okta assessed that Sitel may have accessed the Okta tenant for a maximum of 366 of its customers.
Field Effect has completed an internal review and confirmed that Okta is not used within our environment. Our security team continues to monitor for any event developments and other compromises attributed to this threat actor group.