OKTA DATA BREACH
Data breaches can happen anywhere, at any time to anyone. It is so scary to be in the situation that Okta is in. These breaches can cause a lot of damage. For an individual, they can release things like social security numbers or banking information. For a business, they ruin their reputations and financials, which then affects the business because customers remember them for these breaches and may not trust them. Lastly, a data breach can affect a government or organization. They will then release or have information on very confidential information on military or foreign parties. Okta is a business that has many customers who trust them, they want to make sure to always try to make sure everyone’s information.
Okta, Inc is a tech company that provides secure user authentication for login access and gives developers tools to create identity controls for access to apps and websites. Early on March 22, Single-Sign-On provider Okta confirmed they are investigating a potential breach by Lapsus$, a hacking group. Knowledge of the possible breach came out after the group appeared to post screenshots on the internet, detailing their access to Okta’s environment and stating the Okta clients were the end target. Because Okta works with over 15,000 global companies, this data breach had the potential to be catastrophic. Fortunately, Okta reports that the hackers only had access to their system for 5 days.
WHO, WHAT, WHEN, WHERE, AND HOW DID THE OKTA BREACH HAPPEN?
WHAT IS A DATA BREACH, AND HOW DO THEY HAPPEN?
A data breach exposes sensitive or confidential information to unauthorized parties. In most cases of a large data breach, there is typically a weakness in the company or organization’s technology or user behavior. They can happen accidentally, such as when Microsoft made updates with misconfigured code to their security database in 2019, which accidentally leaked millions of customer IP and email addresses.
When a data breach is intentionally carried out, it is typically done for the purpose of gaining access to sensitive company or customer information, which can then be ransomed or exploited for financial gain. The Okta breach was an intentional cyber-attack launched by South American hacker group Lapsus$.
HOW DID THE OKTA BREACH HAPPEN?
In January 2022, Okta discovered screenshots of sensitive, internal company information posted on the popular site Telegram. Their investigators quickly determined that the hacker group Lapsus$ had gained access to a single computer used by a third-party support engineer that Okta employed. This single point of access demonstrates how cyber-attacks can carefully extort the smallest weakness if a company is not vigilant about its cyber security measures. Lapsus$, who is notoriously unshy about their exploits, posted screenshots of internal Slack app communications as well as workflow tickets to their Telegram account, which then alerted Okta to the breach.
OKTA DATA BREACH DETAILS PAINT A
FAMILIAR PICTURE OF CYBER ATTACKS
In 2021, there were 623 million ransomware attacks globally 2021, an increase of 105% from the previous year. Lapsus$ has also reportedly breached Samsung, Nvidia, Microsoft, and even Brazil’s health ministry. While your organization may not use Okta directly, the impact of a breach can be wide-ranging as the platform is leveraged by many vendors worldwide. AgileBlue will continue to closely monitor the situation and our 24×7 SOC team continues to engage in active threat hunting to provide as much security as possible for all clients.
WHAT INFORMATION DID THE HACKERS GAIN ACCESS TO?
Okta, along with many other companies, has been affected by hackers like Lapsus$. This attack reportedly affected as many as 366 Okta customers worldwide, which accounts for almost 2.5% of Okta’s global customer base.
After gaining access to the Okta system, Lapsus$ leaked 37 GB of data, including archive shows and images through Okta. The hackers also released screenshots and photos of user identities. Lapsus$ released sensitive screenshots depicting Okta’s internal systems. Lapsus$ has said they were not going after Okta’s data but were focusing on the company’s customers.
WHERE DID THE BREACH HAPPEN AND WHY?
There are many reasons why someone would want to take data from a large company. Many reasons are because they just think they can, revenge, sabotage, financial gain, blackmail, and vandalism. The motivation behind why Lapsus$ wanted to get into Okta is still very unclear but it is believed to be because of money and fame. It is believed that they wanted customer information from Okta instead of their company information. Based on the data that was shared from the breach and what Lapsus$ has said about their activity, it appears that the main target was Okta’s massive customer base, rather than Okta itself.
WHEN DID THE OKTA DATA BREACH HAPPEN?
Data breaches can happen anywhere. In January 2022, Okta detected what they thought was an “unsuccessful attempt” to get information on a third-party provider. Okta security received an alert at this time that an MFA account was added to an employee’s account from a location that was previously never used before. On March 22, 2022, Okta confirmed this attempt. Lapsus$ released the screenshots including the highlight of the internal system of Okta which is dated January 21, 2022. Lapsus$ had access to this account from the 16th to the 21st of January 2022.
WHAT TO DO IF YOU WERE IMPACTED BY THE OKTA DATA BREACH
Watch and protect all of your Okta logs; look for anything suspicious.
Disable the Okta Support access to make sure the hackers are not granted access to your account.
Change your passwords.
Monitor employees and educate them on data safety to reduce risk.
Enable notifications so you get alerts for new or suspicious login attempts.
Use multiple forms of authentications
FREQUENTLY ASKED QUESTIONS ABOUT THE OKTA BREACH
Q: How do you prevent data breaches?
A: There are many ways to try and prevent data breaches.
Always update your software whenever one is available.
Upgrade devices whenever software is not supported on the device you’re on.
Educate employees on what to look for and teach them security practices.
Enforcing strong credentials like passwords.
Have a multi-factor authentication.
Q: How does a data breach affect me?
A: Data breaches impact both organizations and you by releasing sensitive content. If you are a victim of these attacks, you have to frequently change passwords, freeze credit cards, and regularly monitor your personal information. You could be in danger of identity theft if the hackers want to use sensitive information against you, especially if they have got ahold of your social security number, email address, password, and ID number.
Q: How can IT security specialists help protect me and my company?
A: While your organization may not use Okta directly, the impact of a breach can be wide-ranging, since the platform is leveraged by thousands of vendors worldwide. AgileBlue will continue to closely monitor the situation, and our 24×7 SOC team continues to engage in active threat hunting to provide as much security as possible for all clients.
FREQUENTLY ASKED QUESTIONS ABOUT THE OKTA BREACH
Q: How do you prevent data breaches?
A: There are many ways to try and prevent data breaches.
Always update your software whenever one is available.
Upgrade devices whenever a software is not supported on the device you’re on.
Educate employees on what to look for and teach them security practices.
Enforcing strong credentials like passwords.
Have a multi-factor authentication.
Q: How does a data breach affect me?
A: Data breaches impact both organizations and you by releasing sensitive content. If you are a victim of these attacks, you have to frequently change passwords, freeze credit cards and monitor your personal information online regularly. You could be in danger of identity theft if the hackers want to use sensitive information against you, especially if they have got ahold of your social security number, email address, passwords and ID number.
Q: How can IT security specialists help protect me and my company?
A: While your organization may not use Okta directly, the impact of a breach can be wide-ranging, since the platform is leveraged by thousands of vendors worldwide. AgileBlue will continue to closely monitor the situation, and our 24×7 SOC team continues to engage in active threat hunting to provide as much security as possible for all clients.
FREQUENTLY ASKED QUESTIONS ABOUT THE OKTA BREACH
Q: How do you prevent data breaches?
A: There are many ways to try and prevent data breaches.
Always update your software whenever one is available.
Upgrade devices whenever a software is not supported on the device you’re on.
Educate employees on what to look for and teach them security practices.
Enforcing strong credentials like passwords.
Have a multi-factor authentication.
Q: How does a data breach affect me?
A: Data breaches impact both organizations and you by releasing sensitive content. If you are a victim of these attacks, you have to frequently change passwords, freeze credit cards and monitor your personal information online regularly. You could be in danger of identity theft if the hackers want to use sensitive information against you, especially if they have got ahold of your social security number, email address, passwords and ID number.
Q: How can IT security specialists help protect me and my company?
A: While your organization may not use Okta directly, the impact of a breach can be wide-ranging, since the platform is leveraged by thousands of vendors worldwide. AgileBlue will continue to closely monitor the situation, and our 24×7 SOC team continues to engage in active threat hunting to provide as much security as possible for all clients.
ABOUT ROSENMAN IT SOLUTIONS LLC
Rosenman IT Solutions LLC provides technical support for all your IT needs and is based in the USA. We are a managed services provider and IT consulting firm based in Troy, Michigan. Combined with our expertise, creativity, and versatility for your business’s success, our solutions are here to help your business through any IT service or challenge you may have nationwide with 24/7 support!
Sources:
https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise
https://www.digitalshadows.com/blog-and-research/the-okta-breach-what-we-know-so-far/
https://www.kaspersky.com/resource-center/definitions/data-breach
https://thehackernews.com/2022/03/lapsus-hackers-claim-to-have-breached.html
https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/