After widely used access management company Okta announced it had been hit by hackers, concerns were raised that the hack could have major consequences for its thousands of customers. 

Who Could be Affected? 

Although the scope of the breach is unknown, because Okta’s online authentication services are used by large companies including Fedex, T-Mobile US, Coinbase, and Moody’s cascading effects are likely to occur. According to its website, Okta has been in business since 2009 and it has more than 15,000 customers on its platform. It was reported in 2019 that there are more than 100 million registered customers using the platform. The company said 2.5 percent of its customers were impacted and they were notified about the incident. 

Who is Lapsus$? 

Lapsus$ is a relative newcomer to the lucrative ransomware market but hit the ground with high-profile hacks. The group comprised the websites of Portuguese media conglomerate Impresa earlier this year. The group continued attacks targeting chipmaker Nvidia Corp Samsung, Ubisoft, and Microsoft. 

Access Management Services Make the Hack Even More Critical

Okta’s services have made the hack even more important. The company sells identity services, such as Single Sign-On and Multi-factor and the credentials of its customers can be stolen as a result of this cyber attack. This is why global cloud services provider Cloudflare which also uses Okta said the company had reset the credentials of some employees.

The attack happened in January 2022 when an attacker had access to one of its employees’ laptops for five days. The disclosure comes as hacking group Lapsus$ has posted screenshots to its Telegram channel claiming to be of Okta’s internal systems, including one that appears to show Okta’s Slack channels, and another with a Cloudflare interface. The attackers also claimed to have had “Superuser/Admin” access to Okta’s systems for two months, not just five days. They added it had access to a thin client rather than a laptop and claimed that it found Okta storing AWS keys in Slack channels. The group also suggested it was using its access to zero in on Okta’s customers.

Okta: The Impacts Are Limited

On the other hand, Okta chief security officer David Bradbury stated in an update that the potential impact on Okta customers is limited. The main reason is the attackers gained the access that support engineers have. According to Okta’s update, these engineers are unable to create or delete users or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users but are unable to obtain those passwords.

What Measures Should You Take? 

“There are no corrective actions that need to be taken by our customers,” Bradbury stated. But his statement is not enough to convince many security researchers. Due to the fact that support engineers in Okta are able to help reset passwords some customers “may have been impacted.” There have been many reactions for the company for it was trying to downplay the importance of breach and it is strictly advised for the customers to be very vigilant. Similar to Cloudflare there were already signs that Okta customers were taking action to revisit their security.

If you are an Okto customer and curious about what kind of precautions to take, here are some recommendations from Keepnet: 

• It may be a good idea to reach out to the company for further information. 
• Enable MFA for all user accounts. Passwords alone do not offer the necessary level of protection against attacks. Keepnet also advises using hard keys, as the attackers can target other methods of MFA for phishing attacks.
• Ensure to have different security measures to strengthen your cyber security posture.
• Prioritize support-initiated events. (Remember it was a support engineer) 
• In case any suspicious MFA-related events are detected, make sure only valid MFA keys are present in the user’s account configuration.