A January security breach seems to have done far less damage than Okta had initially feared. The company confirmed that it had been the target of a Lapsus$ hacking attack on March 22, and indicated that as many as 366 clients could have been affected in a follow-up statement earlier this month.
However, that tally was based on a worst-case scenario. Okta has now completed its forensic investigation, and is reporting that its actual exposure was limited to a 25-minute window on January 21. During that time, the hacker was able to obtain information on two Okta clients through the company’s SuperUser application, but was not able to reset any password or authentication factors or reconfigure any internal settings.
The actual attack occurred at Sitel, a third-party Okta vendor that also provided call center support services for Okta clients. The hacker was able to take over the workstation of one employee to access the SuperUser application, but was unable to impersonate that staff member in any interactions with clients, or log in through any of Okta’s official account channels. The hacker did manage to view information shared in apps like Slack and Jira, though Okta noted that neither app can be used to carry out any actions that affect its clients.
The investigation was carried out by a third-party forensic firm, and examined the entire five-day window from January 16 to January 21. The 366-client projection accounts for every single Okta client that Sitel interacted with through the SuperUser application during that period.
While the report is favorable for Okta, the company acknowledged that the breach has negatively impacted its reputation, and the company is taking steps to try to restore trust. The company has already cut ties with Sitel, and has shared and discussed the final forensics report with the affected organizations to make sure they understand what occurred.
Okta is also enacting a new Security Action Plan to improve third-party security moving forward. To that end, the company will force all of its support sub-processors to use the Okta IDAM solution for authentication when they log into their corporate applications, as part of a broader push toward a Zero Trust security environment.
For its part, Okta will take a more hands-on role to ensure that those new policies get followed. The company will directly manage any devices with access to its customer support system, and will audit its partners more frequently to guarantee compliance. The changes will give Okta more visibility into the activity on its network, and allow it to restrict the amount of information that individual customer support employees have access to through the system.