Authentication Giant Okta Breached Through Customer Support

Cybersecurity giant Okta, which provides authentication services for private and government clients and handles how hundreds of millions of users are able to securely log into their employer’s networks, itself was targeted by an extortion-focused hacking group.

In a statement, Okta said the breach was brief and took place in January. But the method the hackers used to gain access still highlights a weakness in giant companies: the hackers targeted a third-party customer support worker.

“In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors,” Okta told Motherboard in a statement. “The matter was investigated and contained by the subprocessor.”

The statement pointed to screenshots of apparent internal Okta systems posted in the Telegram channel of the hacking group that calls itself LAPSUS$ on Monday. The screenshots showed someone logged into Okta systems with the list of various apps they could then access from that position, and a Slack that appears to belong to Okta. Some of the screenshots also showed someone in the process of resetting a password belonging to a specific employee at cybersecurity firm Cloudflare, and another appeared to show access to a panel associated with the firm too. Those images suggest that the hackers were potential trying to leverage their access to Okta to gain access to Cloudflare assets, which provides infrastructure and security services to millions of websites.

Theoretically, if a hacker gained access to internal Okta systems, they might be able to leverage that access in some way to then target Okta customers. Okta, though, said in its statement that “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

“For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor,” LAPSUS$ wrote in a Telegram post along with the screenshots, referring to Okta.

Okta added in its statement that “We believe the screenshots shared online are connected to this January event.”

Cloudflare has responded to the potential targeting of its organization via the access to Okta. Matthew Prince, CEO of Cloudflare, tweeted that his company was resetting the Okta credentials of any employees who had changed their passwords in the past four months out of an abundance of caution.

“We’ve confirmed no compromise. Okta is one layer of security,” Prince’s tweet added. He even suggested that Cloudflare may hire a different authentication provider because of the compromise. “Given they may have an issue we’re evaluating alternatives for that layer,” he wrote.

Companies use Okta as a “single sign on” (SSO) solution. Meaning that instead of workers having to remember and manage passwords for a spread of services their employer’s use, such as cloud storage, email, note taking, expense filing, all logins are handled by Okta and one password. The idea is to make authentication that whoever is using a particular online account is the correct person much easier and more streamlined. Without, workers may recycle passwords potentially exposing different services to hackers, and if a company uses Okta they can gain more helpful insights when or if an account is compromised too.

Notably, Okta’s description of the hack is somewhat similar to another breach that LAPSUS$ appears connected to: the June compromise of gaming giant Electronic Arts. As Motherboard revealed, hackers in that case bought a login token for EA’s Slack instance from an underground marketplace, and then once inside, tricked an EA IT support account to provide them with the necessary two-factor authentication token to gain access to other parts of EA’s corporate environment. (The marketplace was Genesis Marketplace, which, as an aside, also sells stolen Okta login tokens, one of the hackers previously told Motherboard).

Customer support workers specifically are sometimes a target for hackers. As Motherboard previously reported, a hacker bribed a customer support representative at gaming platform Roblox to then gain access to individual players’ accounts.

LAPSUS$ is an increasingly audacious hacking group that has targeted a wealth of companies over the past few months, including Nvidia and Samsung. LAPSUS$ typically breaks into a target’s network, steals sensitive data, and then tries to extort the victim company. The group has also repeatedly dumped data that it says came from the victims’ networks. 

On Monday, Motherboard reported that Microsoft was investigating a claim from LAPSUS$ that it had breached the company. LAPSUS$ has since posted data in its Telegram channel that it says came from the company. Microsoft did not immediately respond to a request for an updated statement in relation to the data dump.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.