“In Okta’s statement, they said they were not breached and that the attacker’s attempts were ‘unsuccessful,’ yet they openly admit that attackers had access to customer data,” says independent security researcher Bill Demirkapi. “If Okta knew since January that an attacker may have been able to access confidential customer data, why did they never inform any of their customers?”
In practice, breaches of third-party service providers are an established attack path to ultimately compromise a primary target, and Okta itself seems to carefully limit its circle of “sub-processors.” A list of these affiliates from January 2021 shows 11 regional partners and 10 sub-processors. The latter group are well-known entities like Amazon Web Services and Salesforce. The screenshots point to Sykes Enterprises, which has a team located in Costa Rica, as a possible affiliate that may have had an employee Okta administrative account compromised.
Sykes, which is owned by the business services outsourcing company Sitel Group, said in a statement, first reported by Forbes, that it suffered an intrusion in January.
“Following a security breach in January 2022 impacting parts of the Sykes network, we took swift action to contain the incident and to protect any potentially impacted clients,” the company said in a statement. “As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk.”
The Sykes statement went on to say that the company is “unable to comment on our relationship with any specific brands or the nature of the services we provide for our clients.”
On its Telegram channel, Lapsus$ posted a detailed (and frequently self-congratulatory) rebuttal to Okta’s statement.
“The potential impact to Okta customers is NOT limited, I’m pretty certain resetting passwords and [multifactor authentication] would result in complete compromise of many clients systems,” the group wrote. “If you are commited [sic] to transparency how about you hire a firm such as Mandiant and PUBLISH their report?”
For many Okta customers struggling to understand their potential exposure from the incident, though, all of this does little to clarify the full scope of the situation.
“If an Okta support engineer can reset passwords and multifactor authentication factors for users, this could present real risk to Okta customers,” Red Canary’s McCammon says. “Okta customers are trying to assess their risk and potential exposure, and the industry at large is looking at this through the lens of preparedness. If or when something like this happens to another identity provider, what should our expectations be regarding proactive notification and how should our response evolve?”
Clarity from Okta would be especially valuable in this situation, because Lapsus$’s general motivations are still unclear.
“Lapsus$ has expanded their targets beyond specific industry verticals or specific countries or regions,” says Pratik Savla, a senior security engineer at the security firm Venafi. “This makes it harder for analysts to predict which company is most at risk next. It’s likely an intentional move to keep everyone guessing, because these tactics have been serving the attackers well so far.”
As the security community scrambles to get a handle on the Okta situation, Lapsus$ could have even more revelations brewing.
More Great WIRED Stories