one of the world’s leading providers of digital identity verification, said that a January data breach revealed by hackers this week may have affected hundreds of customers that rely on its software to manage secure access to their internal computer networks.
Okta said the attack had affected as many as 366 customers, or 2.5% of the more than 15,000 businesses and institutions it services world-wide. The breach, claimed by the Lapsus$ group, originated from the laptop of an engineer employed by a subcontractor, which the hackers had access to between Jan. 16 and Jan. 21, Okta said. Tuesday.
Okta said it had contacted customers that were potentially affected. Shares of Okta fell 11% to $148.55 on Wednesday.
Reports of the breach emerged earlier this week after Lapsus$ posted screenshots that appeared to be of Okta internal systems to its Telegram social-media account. The group said its primary target wasn’t Okta but its customers.
Okta said in separate statements on Tuesday that the screenshots were from a computer used by a customer-support engineer from a unit of a subcontractor, Miami-based Sitel Group. Taking control of the computer effectively gave the hackers the same level of access as the engineer, according to Okta.
Support engineers can access only limited data and while they can help reset passwords and multifactor authentication factors, they can’t see the passwords themselves, Okta said. The engineer didn’t have “godlike access,” and had no power to create or delete user accounts, download customer databases or access source-code repositories, it said.
“The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard.”
Okta said it notified Sitel of the breach in late January, and Sitel hired an outside forensic firm to investigate. The full results of the investigation were shared with Okta on Tuesday, it said, expressing disappointment at the time taken to issue the results.
The unit of Sitel where the breach took place, Tampa, Fla.-based Sykes Enterprises Inc., said it took swift action to contain the incident after learning of the hack. “Following completion of the initial investigation, working in partnership with the worldwide cybersecurity leader, we continue to investigate and assess potential security risks to both our infrastructure and to the brands we support around the globe,” the company Sykes said. in a statement Tuesday.
“‘The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard.’”
In a follow-up Telegram post, Lapsus$ disputed some of Okta’s findings. It denied that it compromised a laptop and said support engineers have more-extensive access than Okta suggested, including to internal communications. It also took issue with Okta’s assertion that the impact of the breach on customers was limited. The ability to reset passwords and multifactor authentication factors “would result in complete compromise of many clients’ systems,” Lapsus$ said.
When asked about the hackers’ hacker’s claims, an Okta spokeswoman referred to the company’s earlier statement describing the limitations of the breach.
In a blog post on Tuesday,
confirmed it had been hacked by the group, and that for weeks had been tracking what it described as a large-scale campaign by Lapsus$ against multiple organizations. It described the group as often acting openly and not trying to cover its tracks, using extortion and destruction of data.
After gaining access to an organization, the group has been known to listen in on crisis communication calls and internal messaging forums, Microsoft said.
The group—which communicates in Portuguese and broken English on Telegram—cut its teeth with attacks in Brazil, Portugal and the U.K. before expanding to target some of the world’s biggest and most prestigious companies. In recent weeks, Lapsus$ has taken credit for hacks on
and has offered to pay employees from companies such as
for help obtaining access.
It also has taken over individual accounts at cryptocurrency exchanges and drained users’ holdings.
Corrections & Amplifications
Hacking collective Lapsus$ didn’t claim responsibility for an attack on Apple Inc. An earlier version of this article incorrectly said that Lapsus$ had made that claim. (Corrected on March 24)
Write to Dan Strumpf at email@example.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the March 24, 2022, print edition as ‘Hundreds at Risk in Okta Hack.’