“In Okta’s statement, they said they had not been breached and that the attacker’s attempts had failed, yet they openly admit that attackers had access to customer data,” said independent security researcher Bill Demirkapi. “If Okta knew since January that an attacker may have had access to confidential customer data, why have they never informed any of their customers?”
In practice, breaches of third-party service providers are an established path of attack to ultimately compromise a primary target, and Okta itself seems to be carefully limiting its circle of “sub-processors.” A list of these affiliates as of January 2021 shows 11 regional partners and 10 sub-processors. The latter group are well-known entities such as Amazon Web Services and Salesforce. The screenshots point to Sykes Enterprises, which has a team in Costa Rica, as a possible partner who may have hacked into an employee’s administrative Okta account.
Sykes, which is owned by business services outsourcing company Sitel Group, said in a statement, first reported by Forbes, that it had been breached in January.
“Following a security breach in January 2022 that affected parts of the Sykes network, we took swift action to contain the incident and protect potentially affected customers,” the company said in a statement. “As a result of the investigation, along with our ongoing assessment of external threats, we are confident that there is no longer a security risk.”
The Sykes statement went on to say that the company “is unable to comment on our relationship with specific brands or the nature of the services we provide to our customers.”
On his Telegram channel, Lapsus$ posted a detailed (and often complacent) rebuttal to Okta’s statement.
“The potential impact on Okta customers is NOT limited, I’m pretty sure passwords will be reset and [multifactor authentication] would result in a complete compromise of many client systems,” the group wrote. “If you are committed [sic] how about if you hire a company like Mandiant and PUBLISH their report?”
However, for many Okta customers struggling to understand their potential exposure to the incident, all of this does little to clarify the full scope of the situation.
“If an Okta support engineer can reset passwords and multi-factor authentication factors for users, it could pose a real risk to Okta customers,” said Red Canary’s McCammon. “Okta customers are trying to assess their risk and potential exposure, and the industry in general is looking at this through the lens of preparedness. If or when something like this happens with another identity provider, what should our expectations be regarding proactive reporting and how should our response evolve?”
Clarity from Okta would be especially valuable in this situation, as Lapsus$’s overall rationale is still unclear.
“Lapsus$ has expanded their goals beyond specific industries or specific countries or regions,” said Pratik Savla, senior security engineer at security firm Venafi. “This makes it more difficult for analysts to predict which company will be most at risk next. It’s probably a conscious move to keep everyone guessing, because these tactics have helped attackers well so far.”
As the security community struggles to get to grips with the situation in Okta, Lapsus$ could face even more revelations.
More great WIRED stories