VentureBeat presents: AI Unleashed - An exclusive executive event for enterprise data leaders. Network and learn with industry peers. Learn More

Okta said Tuesday evening that roughly 2.5% of its customers were potentially impacted by the data breach by the Lapsus$ hacker group in January.

The identity and access management vendor did not specify how the customers may have been impacted.

“After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon,” Okta chief security officer David Bradbury said in an update to the company’s post on the Lapsus$ breach.

Earlier on Tuesday, Bradbury had disclosed that Lapsus$ had accessed the account of a customer support engineer, who worked for a third-party provider, for five days in January.


AI Unleashed

An exclusive invite-only evening of insights and networking, designed for senior enterprise executives overseeing data stacks and strategies.


Learn More

In a separate post on Tuesday about Okta’s investigation of the breach, Bradbury said that the “maximum potential impact” from the breach is 366 customers (roughly 2.5% of Okta’s 15,000 customers).

Bradbury also identified the third-party provider as Sitel, which provides Okta with contract workers for customer support. Despite an investigation being launched by a “leading forensic firm” on January 21, Okta did not receive a report from Sitel about the incident until March 17, Bradbury said.

“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” Bradbury said in the post about the investigation. “Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”

Lapsus$ leak

The disclosures by Okta came in response to screenshots posted on Telegram by Lapsus$, showing what the threat actor said was “access to Superuser/Admin and various other systems.”

In the updated post Tuesday evening, Bradbury reiterated that “the Okta service is fully operational, and there are no corrective actions our customers need to take.”

However, not all in the tech industry were reassured by Okta’s latest statement on the incident.

“I said last night this was very, very bad. Today I trusted Okta and thought it was okay,” said Dan Starner, an infrastructure software engineer, in a tweet.

But after the latest disclosure, that more than 2.5% of customers were potentially impacted, “now I know it’s very, very bad and that I don’t trust Okta anymore,” Starner wrote on Twitter. “Security is hard and breaches happen, but lying by omission is worse than telling us our data may be compromised.”

VentureBeat has reached out to Okta for comment.

Impact unclear

While we now know that the number of impacted customers is likely in the hundreds rather than in the thousands, “how they’ve been impacted remains unclear,” said Emsisoft threat analyst Brett Callow in a tweet.

In the updated post, Bradbury said that Okta has identified impacted customers and has “already reached out directly by email.”

“We take our responsibility to protect and secure customers’ information very seriously,” he said. “We deeply apologize for the inconvenience and uncertainty this has caused.”

In the past, customers disclosed by Okta have included JetBlue, Nordstrom, Siemens, Slack, Takeda, Teach for America, Twilio, GrubHub, Bain & Company, Fidelity National Financial, Hewlett Packard Enterprise, T-Mobile, Sonos and Moody’s. In 2017, Okta said that the U.S. Department of Justice was a customer.

In the original post earlier in the day on Tuesday, Bradbury acknowledged that “there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop.”

“This is consistent with the screenshots that we became aware of yesterday,” he said, referring to the screenshots posted by Lapsus$ on Telegram.

‘Failure to disclose’

Bradbury said that the “potential impact to Okta customers is limited to the access that support engineers have.”

These engineers “are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots,” he said. “Support engineers can also facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.”

Security researcher Runa Sandvik said on Twitter on Tuesday that some may be “confused about Okta saying the ‘service has not been breached.’”

“The statement is purely a legal word soup,” Sandvik said. “Fact is that a third party was breached; that breach affected Okta; failure to disclose it affected Okta’s customers.”

Series of attacks

Lapsus$ specified that it did not access Okta itself. “Our focus was ONLY on okta customers,” the group said in its Telegram post.

In a Telegram post Tuesday, responding to Okta’s statement on the breach, Lapsus$ contended that “the potential impact to Okta customers is NOT limited.”

“I’m pretty certain resetting passwords and MFA would result in complete compromise of many clients systems,” the group said. Lapsus$ also claimed that Okta has been “storing AWS keys within Slack.”

Lapsus$ is believed to operate in South America. Over the past month, Microsoft, Nvidia and Samsung Electronics have confirmed the theft of data by the threat actor.

On Monday, Lapsus$ had claimed to have posted Microsoft source code for Bing, Bing Maps and Cortana on Telegram.

In a blog post Tuesday, Microsoft said that Lapsus$ had gained “limited access” to Microsoft systems by compromising a single account. “Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” Microsoft researchers said.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.