Okta, whose authentication services are used by companies to provide access to their networks, is investigating a digital breach after hackers posted screenshots of what they said was internal information.
The scope of the hack is unknown, but it could have major consequences because thousands of companies rely on San Francisco-based Okta to manage access to their networks and applications.
In a statement, Okta official Chris Hollis said the hack could be related to a previously undisclosed incident in January, which he said had since been contained. Okta had detected an attempt to compromise the account of a third-party customer support engineer at the time, said Hollis.
“We believe the screenshots shared online are connected to this January event,” he said. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
Okta did not disclose whether clients were affected or if so, how many. It said: “We are continuing our investigation and will provide additional information as it becomes available.”
On its website, Okta describes itself as the “identity provider for the Internet” and says it has more than 15 000 customers on its platform.
It competes with the likes of Microsoft, PingID, Duo, SecureAuth and IBM to provide identity services such as single sign-on and multi-factor authentication used to help users securely access online applications and websites.
The screenshots were posted by a group of ransom-seeking hackers known as Lapsus$ on their Telegram channel late on Monday. In an accompanying message, the group said its focus was “ONLY on Okta customers”.
Security experts said the screenshots appeared to be authentic. “I definitely do believe it is credible,” said independent security researcher Bill Demirkapi, citing pictures of what appeared to be Okta’s internal tickets and its in-house chat on the Slack messaging app.
Dan Tentler, the founder of cybersecurity consultancy Phobos Group, said he, too, believed the breach was real and urged Okta customers to “be very vigilant right now”.
Lapsus$ is a relatively new entrant to the crowded ransomware market but already made waves with high-profile hacks and attention-seeking behaviour.
The group compromised the websites of Portuguese media conglomerate Impresa earlier this year, tweeting the phrase “Lapsus$ is now the new president of Portugal” from one newspaper’s Twitter accounts. The Impresa-owned media outlets described the hack as an assault on press freedom.
Last month, the group leaked proprietary information about US chip maker Nvidia to the Web. More recently, the group has purported to have leaked source code from several big technology firms.
The hackers did not respond to a message left on their Telegram group chat seeking comment. — Raphael Satter, with James Pearson, (c) 2022 Reuters