Incidents Timeline
On March 22nd, 2022 the hacking group Lapsus$ published information regarding a security breach at Okta on their behalf. As was later confirmed by Okta, the account of a contract worker for their Customer Support organization was used to access internal systems on January 20th and 21st, 2022 for approximately one hour. During this period the attacker was potentially able to access 2.5% of Okta's customer base with limited privileges.
On December 21st, 2022 Okta revealed that software code from a private repository of the company on GitHub was extracted.
On October 20th, 2023 Okta informed that credentials of a service account to access Okta's support case management system had been stolen and the threat actor was able to view files uploaded by 134 customers (equates to 1% of the customer base). It was later specified that all users of its customer support system were affected. Some customers shared their own response to the event, notably Cloudflare, 1Password, and BeyondTrust (see references below). The credentials of the service account were stored in an employee’s personal Google account that was signed in on a company laptop.
Okta and eduGAIN
As an identity and access management company Okta's services may be used by eduGAIN's constituency as well. The company claims that all customers that are possibly affected have been contacted directly. However, if You're an Okta customer the eduGAIN CSIRT recommends to:
- examine Okta related logs for malicious activity
- contact Okta to clarify, whether You are impacted by the incident and which additional measures are advised
If You need help assessing the incident or need some proxy for the communication with Okta, please contact the eduGAIN CSIRT, as per https://edugain.org/edugain-security/.
References
Okta develops cloud-based software solutions for identity and authentication management (Identity as a Service, IDaaS) used by many large organizations.
https://www.okta.com/
Lapsus$ is a hacking group specialized on digital extortion of data from high profile organizations. Since December 2021 they claimed responsibility for breaches of companies like NVIDIA, Samsung, Microsoft and Okta.
NO attribution for the incidents in December 2022 and October 2023 so far.
Okta's public response to the incident in March 2022
https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/
https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/
Okta's public response to the incident in December 2022
https://sec.okta.com/articles/2022/12/okta-code-repositories
Okta's public response to the incident in October 2023
https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system
https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause
https://sec.okta.com/harfiles
Customer responses to the incident in October 2023
https://blog.1password.com/okta-incident/
https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise
https://www.beyondtrust.com/blog/entry/okta-support-unit-breach