Skip to main content

Okta hack puts thousands of businesses on high alert

Okta hack puts thousands of businesses on high alert

/

Okta lists Peloton, Sonos, T-Mobile, and the FCC among its 15,000 customers

Share this story

Illustration by Alex Castro / The Verge

Okta, an authentication company used by thousands of organizations around the world, has now confirmed an attacker had access to one of its employees’ laptops for five days in January 2022 and that around 2.5 percent of its customers may have been affected — but maintains its service “has not been breached and remains fully operational.”

The disclosure comes as hacking group Lapsus$ has posted screenshots to its Telegram channel claiming to be of Okta’s internal systems, including one that appears to show Okta’s Slack channels, and another with a Cloudflare interface.

Any hack of Okta could have major ramifications for the companies, universities, and government agencies that depend upon Okta to authenticate user access to internal systems.

“We have concluded that a small percentage of customers – approximately 2.5 percent – have potentially been impacted and whose data may have been viewed or acted upon,” Okta chief security officer David Bradbury wrote in an update Tuesday evening. “We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.”

In an earlier statement on Tuesday afternoon, Okta said that an attacker would only have had limited access during that five-day period — limited enough that the company claims “there are no corrective actions that need to be taken by our customers.”

Here’s what Bradbury says is and isn’t at stake when one of its support engineers is compromised:

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.

Writing in its Telegram channel, the Lapsus$ hacking group claims to have had “Superuser/Admin” access to Okta’s systems for two months, not just five days, that it had access to a thin client rather than a laptop, and claims that it found Okta storing AWS keys in Slack channels. The group also suggested it was using its access to zero in on Okta’s customers.

The Wall Street Journal notes that in a recent filing Okta said it had over 15,000 customers around the world. It lists the likes of Peloton, Sonos, T-Mobile, and the FCC as customers on its website. Based on the given figure of “approximately 2.5 percent,” the number of these customers that have been affected could approach 400.

In a earlier statement sent to The Verge, Okta spokesperson Chris Hollis said the company has not found evidence of an ongoing attack. “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.” Hollis said. “We believe the screenshots shared online are connected to this January event.”

“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Hollis continued. But again, writing in their Telegram channel, Lapsus$ suggested that it had access for a few months. 

Lapsus$ is a hacking group that’s claimed responsibility for a number of high-profile incidents affecting Nvidia, Samsung, Microsoft, and Ubisoft, in some cases stealing hundreds of gigabytes of confidential data.

Okta says it terminated its support engineer’s Okta sessions and suspended the account back in January, but claims it only received the final report from its forensics firm this week.

Update, 2:38PM ET: Added Okta’s statement and claims that the hack was very limited, with no corrective actions that need to be taken.

Update, 2:58PM ET: Added the Lapsus$ hacker group’s claim that it had access to a thin client rather than a laptop, that it found Okta storing AWS keys in Slack channels.

Update, 11:30PM ET: Added details from Okta’s updated statement.

Today’s Storystream

Feed refreshed Sep 25 Not just you

E
Twitter
Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.


E
Twitter
Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.


E
External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.


E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
A
Youtube
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.


T
Twitter
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.