back to article Authentication oufit Okta investigating Lapsus$ breach report

The Lapsus$ extortion crew has turned its attention to identity platform Okta and published screenshots purportedly showing the group gaining access to the company's internals. The incident follows the group's claim over the weekend that it had made off with chunks of Microsoft's code. However, a compromise at Okta could be …

  1. Anonymous Coward
    Anonymous Coward

    what a fucking surprise!

    Nice idea putting all your admin credentials for everyone in large businesses in one bucket in a fucking cloud.

    pretty fucking obvious what would happen sooner or later.

    1. Anonymous Coward
      Anonymous Coward

      Re: what a fucking surprise!

      It’s kinda even worse than that… my Okta Password is Active Directory Integrated so you have just spaffed credentials that authenticate your VPN and whole network access out of door to the cloud.

      Thankfully Okta Verify and VPN connections both do at least provide a tiny amount of 2FA comfort… .

  2. HereIAmJH

    any employees who’ve changed their passwords in the last 4 months

    Shouldn't that be all of them?

    1. Cederic Silver badge

      Re: any employees who’ve changed their passwords in the last 4 months

      Not necessarily. There's a school of thought that forcing frequent password changes is less secure.

      My employer has a 'once every 7 months' policy..

      1. Anonymous Coward
        Anonymous Coward

        Re: any employees who’ve changed their passwords in the last 4 months

        My employer is once every 8 months...do I beat you?

        1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: any employees who’ve changed their passwords in the last 4 months

      Periodic passwords changes/resets are no longer considered best practice. A number studies have come to the conclusion that these changes don't really help with security. Most black hat hackers assume a life of only a few days for stolen credentials.

      So, unless users change their passwords every few days, there is not much point in doing it at all. Many companies (and regulatory bodies, like PCI) have always required a password change every 90 days. If there has been a compromise of user credentials, 90 days is an eternity.

      The National Institute of Standards and Technology now provides this advice (NIST SP 800-63B section 5.1.1.2):

      "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

      So, now IT security people (like myself) only require a password change if there is any suspicion of the compromise of a particular person's credentials. A company wide change can be required if there is any suspicion of multiple account compromises.

      1. spireite Silver badge

        Re: any employees who’ve changed their passwords in the last 4 months

        My emp gave me a new laptop, and didn't even enforce a change of password on delivery to my house!

        Neither do they appear to have a time policy either

      2. Anonymous Coward
        Anonymous Coward

        Re: any employees who’ve changed their passwords in the last 4 months

        Most people will be just bored of this and will get Chrome/Firefox/Password Manager of choice to suggest.

  3. Paul Eagles
    Megaphone

    Come on Okta, talk to your customers!

    The silence from Okta is deafening. Other than a single paragraph on their LinkedIn page and the tweets from the CEO I'm yet to see any communication from them.

    For a company that, on their Trust Hub (https://trust.okta.com/) claims that "Trust starts with transparency" and "The Okta Trust Page is a hub for real-time information on performance, security, and compliance." I would like to think they would be more proactive. I'm certainly not seeing any "real-time information".

    1. Anonymous Coward
      Anonymous Coward

      Re: Come on Okta, talk to your customers!

      As a client, I got information from OKTA a few hours ago

      1. Anonymous Coward
        Anonymous Coward

        Re: Come on Okta, talk to your customers!

        You're not trying to tell me a company is taking care of its customers before addressing the baying pitchfork mob of people saying cloud services are shit and everything should be done on an AS400 hooked up to a 1.5 Mbps fiber-optic T-1 line like the good old days? I coded in FORTRAN don't you know...

  4. spireite Silver badge

    MFA?

    Surely, if you're using any third-party, and for that matter - if not....

    You should always have a decent MFA policy in place?? So it's mitigated then?

  5. EnviableOne

    Trust No 1

    IMHO the way they have handled this has irreparably damaged any trust customers had in their business.

    and in their field that's the most important thing.

    they knew there was a breach back in January and didn't tell anyone until the threat actor did.

    and trusting Sitel is always a recipe for disaster (there's a reason it's usually spelt with an additional h)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like