Okta – a major Identity and Access Management vendor – has confirmed that it has commissioned an investigation after the Lapsus$ cybercrime gang claimed to have gained access to their systems.  This threat actor has been recently responsible for data breaches of companies such as Nvidia, Samsung and Ubisoft.  

The validity of Lapsus$’s claim of compromise, and the extent of any resultant impact is currently unclear.  The attacker claims not to have stolen databases of credentials directly from Okta, instead stating that “its focus was only on the company’s customers.”   Without further information – which can likely only be provided by Okta pending investigation – it will be difficult to identify the true extent of the exposure.   

Reliance Cyber supports Okta for many of our clients, and in many cases, we monitor its use through our Managed Detection and Response service.  We have some robust monitoring rules in place to detect suspicious Okta activity; tracking all modifications, additions and sign-ins.  We will continue to monitor open-source threat feeds, cyber security news outlets and our premium curated Threat Intelligence feeds for Indicators of Compromise.  We will update our rules and hunting activity accordingly to afford the best possible level of coverage until more information is provided by Okta.    

Recommendations: 

For any organisation that relies on Okta, we strongly recommend that: 

  • All privileged Okta passwords are rotated as a precaution 
  • A thorough review of privileged accounts is conducted to ensure that permissions are appropriate to individuals 
  • A list should be generated of all Okta users created since 1st January 2022 and the validity of each user confirmed