Summary

Okta, a popular identity management provider, has fallen next in line in a series of data breaches involving big names like Samsung, Nvidia, Ubisoft and Microsoft. 

In order to understand the magnitude of this event, we need to first dig a bit deeper into Okta. This company provides an identity management platform used by 15,000 companies, such as Fedex, Moody’s and Cloudflare. An identity management platform is a service that allows those enterprises to log into multiple services in a simple way, namely, without providing multiple sets of credentials (also known as Single Sign On).

If you’re thinking you’ve never used Okta so you don’t have to worry, don’t be so sure. The use of this platform happens behind the scenes and is often hidden in code, which means you could be using Okta every day without even knowing it.

While Okta claims the leaked information belongs to a breach from January, the hacker group posting the information disputes this timeline. There are also still questions around how many accounts were actually affected. Either way, there are reasons to stay vigilant. 

Some Context

A few months ago, a hacker collective named Lapsus$ took the world by storm with attacks on Portuguese and South American organizations, such as Brazil’s Health Ministry, Claro, Embratel and Portuguese media giant, Impresa.

Soon after, the hacker group built more confidence and started hitting even bigger targets like MercadoLibre, one of South America's biggest ecommerce platforms, Samsung, Vodafone, Nvidia and Ubisoft. Some of these companies experienced data theft and extortion, and some even suffered Denial of Service attacks, rendering their services unavailable for a certain period of time.

More recently, the group posted source code stolen from Microsoft’s Bing and Cortana products. This last attack appeared to have happened after compromising an employee's account.

Now, the group has posted pictures showing they gained access to an admin account from Okta.

The Attack

On March 21, Lapsus$ released images on a Telegram channel demonstrating that Okta’s systems had been compromised.

In response, Okta’s CISO, David Bradbury, claimed that those pictures corresponded to a breach, which took place between Jan. 16 and Jan. 22, at which point the compromised account was suspended. Bradbury shared that Lapsus$ gained access to their platform by taking over a machine belonging to an employee of Sitel, a company subcontracted by Okta. Then, using a remote desktop protocol, the hackers were able to take the screenshots, which they later posted on Telegram. He stated that none of Okta’s systems were directly breached by this attack and that in a worst case scenario, only 366 customers would be affected. This is because of the use of least privilege access protocols, which allow users to perform the minimum set of actions necessary for their jobs.

From there, it didn’t take much for different companies to give declarations about their own systems’ statuses. For example, Cloudflare’s CEO, Matthew Prince, rapidly declared that none of their systems were compromised, since Okta was merely a single layer of security among many they have implemented.

Although Okta claims the breach happened in January, Lapsus$ posted that their claim is false, and that the pictures corresponded to a more recent breach. Either way, if those screenshots actually belonged to an administrator account, there may be a chance that even a least privileged access and a many layer security protocol would be insufficient to contain the breach.

What to expect?

There are still things left to be known. Namely, how many accounts were actually affected? This number may be larger than expected if Okta’s claims are only an attempt to show confidence to an already affected market. One thing we do know is that shares in Okta Inc. fell 9% yesterday after the attack was confirmed.

At Red Sentry, we encourage our readers to follow cybersecurity best practices in order to minimize the likelihood of getting breached. Here are some recommendations: 

• Disable any default credentials to access your platforms.
• Use password managers to handle different sets of credentials and use randomly generated passwords.
• Break your system’s access into different roles and give minimum permissions and access to those roles as needed.
• Update and patch your software in a timely manner.
• Invest in cybersecurity solutions. Red Sentry provides tools that behave similar to a malicious attacker, so you can find your vulnerabilities before a hacker does.