back to article Okta now says: Lapsus$ may in fact have accessed customer info

Identity management as-a-service platform Okta says the Lapsus$ extortion gang may in fact have gained unauthorized access some of its customers' data, and Microsoft has confirmed the crew got its grubby paws on some source code. An updated post detailing Okta's response to claims of an intrusion into the service sees chief …

  1. Anonymous Coward
    Anonymous Coward

    Because Lapsus$ monitors victims' internal communications, Microsoft recommends development of an out-of-band communication plan for incident responders "that is usable for multiple days while an investigation occurs."

    My former employer has gone all-in with MS so they did not replace the ageing Cisco VoIP phone network that was sort-of independent, but mandated that Teams and other MS products be used for all internal communications. The issues of 999 calls was blustered away by saying everyone will have a phone.

    Should be fun to hear the outcome when they eventually get hit!

  2. Gene Cash Silver badge

    Bottom drawer

    Behind a sign saying "Beware of the Leopard"?

  3. Ben Tasker

    Okta's comms have been laughable

    Compromises happen, even to authentication providers.

    What doesn't instill trust though, has been Oktas communication about the issue.

    They've gone from "no, it's just something that happened months ago that we never mentioned" to "yeah, it was months ago, and it turns out they accessed some customer data, we're making contact"

    Forensic investigations take time, it's not Okta's fault they only got the report back recently, but they should have been proactively contacting customers *in january*.

    They're a gateway to a myriad of other systems, there's absolutely no excuse for having left those systems at risk despite knowing that a "limited" compromise of their own systems had occurred.

    All they needed to say was

    "Dear customer, we've detected a possible security incident with a third party supplier, we're investigating, but please consider whether you wish to reset access credentials"

    Instead they kept quiet and let their customers shoulder the risk.

    Not exactly a ringing endorsement for a provider that's supposed to be part of your first line of defence

    1. Anonymous Coward
      Anonymous Coward

      Re: Okta's comms have been laughable

      Yeah, we're about to have a serious discussion as to whether they stay in our org. And not because of the breach, because of the (lack of) response. We dumped RSA for the same reason many, many years ago. Don't these companies ever learn?

      1. Paul Eagles

        Re: Okta's comms have been laughable

        Yeah, their communication has been a shambles.

        I reminded them earlier today of the wording on the Trust Hub. Words like 'transparency' and 'real-time communication' were quoted back to them.

      2. Anonymous Coward
        Anonymous Coward

        Re: Okta's comms have been laughable

        “Reputational Damage and Transparency” are de rigour in annual mandatory/compliance training these days.

  4. hoola Silver badge

    2.5%

    So how many users is 2,5%?

    That sounds like a nice reassuring low number to publish but the reality in numerical terms will be very different.

    1. hoola Silver badge

      Re: 2.5%

      Answering my own question.......

      Apparently Okta have scaled to 50 billion accounts so that suggests that 1.25 billion accounts have been accessed.

      This just goes to show how you can make bad news look like good news.......

      Source:

      https://www.okta.com/resources/whitepaper/scaling-okta-to-billions-of-users/

      1. iron

        Re: 2.5%

        You would have answered it more quickly and accurately by RTFA.

        1. hoola Silver badge

          Re: 2.5%

          Abusive comments are not helpful. The article states that 2.5% of Okta customers, there is no information

          on the number of accounts, they could be tiny, they could be massive.

          All I did was look at Okta's boast that they have scaled to 50 billion accounts. That puts a bit more perspective on it. It is unlikely to be 2.5% of that total but nobody appears to know how many accounts are affected and only Okta know that.

          You don't need that many customers for it to be a very large number.

          Percentages can make large problems sound nice and small.

      2. This post has been deleted by its author

      3. PriorKnowledge
        Joke

        How many humans are there on Earth?

        That number sounds like they’re scaling beyond the Space Elevator!

        1. Paul Eagles

          Re: How many humans are there on Earth?

          An individual can have multiple accounts in Okta. Let's say your employer uses Okta and you're a member of the Emirates rewards program. That's 2 Okta accounts for you.

      4. Paul Eagles

        Re: 2.5%

        It's 2.5% of company accounts (so 2.5% of Okta tenants) that have been impacted. That doesn't equate to 2.5% of the total user accounts in Okta. Tenants vary wildly in size, some will be very small and some are enormous.

        I've specifically asked Okta how many potential user accounts there are but so far, and as expected, they've declined to answer that.

    2. Mikehhh

      Re: 2.5%

      The article estimates 375 tenants ("Okta claims to have more than 15,000 customers, so if 2.5 per cent have been compromised that could be 375 organisations")

      Okta claim it's 366 tenants in their follow up post https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/

  5. Doctor Syntax Silver badge

    "Okta claims to have more than 15,000 customers, so if 2.5 per cent have been compromised that could be 375 organisations that now need to determine if all logons to their preferred clouds – and the actions taken by authenticated users – were legitimate and/or innocuous."

    But all 15,000 will need to assume they were amongst the 375.

    1. EnviableOne

      according to Okta, the precise number is 366 and that's the sum total of customers accessed by all agents ar their sub-processor over the 4 day period.

  6. Vimes

    Why doesn't Microsoft just revert back to full Borg mode and refer to them as SPECIES-0537?

  7. Frank Bitterlich

    Wolf, goat and cabbage problem

    Hmmm. "Laptop", "[external] support engineer", "customer data"... looks like those three terms always appear together in articles which also contain the term "compromised", and "[company name] takes the security of its customers' data very seriously."

    I wonder why...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like