Responding to the Okta Breach
By now, you’ve probably heard about the Okta breach by the malicious hacker group Lapsus$. Here’s everything you need to know—from how to tell if you’re exposed, to how to respond and try to mitigate your risk exposure.
Okta, a leading provider of Authentication Services and Identity and Access Management (IAM) solutions, says it is investigating claims of a data breach. Okta reports having over 3,800 employees and over 15,000 customers worldwide.
Lapsus$ is a threat actor group believed to be based in Brazil. The group gained notoriety in 2020 for breaching the Brazilian Health Ministry’s computer systems and later attacking other organizations such as Samsung, MercadoLibre, Vodafone and Ubisoft. Their MO is to compromise employee credentials and then to exfiltrate that customer data under the behavior of a legitimate user.
Okta suffered a third-party breach. On March 22, 2022, Lapsus$ leaked screenshots of alleged Okta customer data. In January 2022, Okta had detected an unsuccessful attempt to compromise the account of a third-party customer support engineer working for Sitel. This, it appears, is when the Lapsus$ attack occurred. Okta immediately shared suspicious IP addresses with a third-party forensics firm.
How bad is it?
Lapsus$ seems to have acquired “superuser/admin” access to Okta.com and subsequently accessed Okta customer data. The group’s stated intent is not to target Okta specifically, but to compromise customers using Okta as a third party.
As it was announced by Okta, there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. What was also mentioned is that the damage potential to Okta customers is limited to the access their third-party support engineers have. These employees supposedly do not hold customer databases. They do however, manage Jira tickets with limited lists of users. Furthermore, as a sub-processor, they likely had high privileges to the customer accounts of Okta.
Moreover, the actions Lapsus$ was able to execute include resetting customer passwords and potentially changing the email address linked to an account – locking the customer out with devastating effects. The bottom line is that Okta suffered a third-party breach, and as the third-party of so many companies – caused a massive third-party breach of their own.
Who might be impacted?
Any customers using Okta services and any organization whose third parties use Okta as an IdP may be compromised. Okta believes approximately 2.5% of their customers have been impacted, including having their data compromised. They have identified those customers and are contacting them.
What should you do? Follow these steps:
- Identify whether your company, or any of your critical third party vendors and partners, are using Okta as an IdP. Your third-party risk management platform can help you with the identification process. If you are an Okta customer, reach out to them directly inquiring about your impact.
- Review Okta sign-in activity for anomalies.
- Shorten the user session expiry period in your Okta configuration.
- Review your enforcement policies in place for multi-factor authentication of your identities (ideally with an authenticator app).
- Unprovision any unused identities (users) in your organization.
- Enable user notifications for new sign-ins, new factor enrollment and factor resets.
- Follow Panorays’ news page for updates on this breach. Panorays customers can also follow the Okta vendor page and “Cyber News & Data Breaches” section of the Panorays platform for continuous updates on this breach.
- Mitigate future risk by considering upgrading your third-party security risk management approach.
- Refer to Panorays’ Third-Party Incident Response Playbook to help you prepare for and respond to incidents like these with your third parties.
- Communicate to employees the need for extra vigilance and the need to notify security administrators about any upticks in phishing attempts in particular.
- Communicate to your third parties about steps you are taking to mitigate damages that they can mimic.
- Be on alert for updates from Okta about possible compromises, and try to leverage your cybersecurity stack for added visibility and alert of any suspicious activity, especially password resets.
Panorays’ third-party security management platform automatically identifies your third parties as well as their vendors (your fourth parties), giving you clear insight into their security posture.
Want to get visibility and control over your third parties? It all starts with knowing who you are doing business with. Find out with Panorays today!