Okta Confirms Lapsus$ Attack, While Microsoft Investigates Breach Claim
Identity services provider Okta on Tuesday stated that its service wasn’t breached by Lapsus$ attackers, although the account of a third-party support engineer working with Okta did get hacked back in January.
On Monday, the attack group Lapsus$, thought to be based in Brazil, posted screenshots demonstrating an Okta software breach, as reported by Reuters. The group has gained the limelight of late for also having exposed the code and credentials of Nvidia, Samsung and Ubisoft in recent attacks.
Microsoft is yet another supposed Lapsus$ victim, with a recent claim this week that Azure DevOps was hacked. The hack is said to have exposed source code for Bing and Cortana. Microsoft currently is investigating this claim, according to a Bleepingcomputer.com article.
The article noted that Microsoft assumes the exposure of source code when making its software, and designs its security so that it is not based on that code. Microsoft refers to this method as its “inner source” software development approach.
However, former Microsoft security employee Kevin Beaumont commented that there were “multiple code signing certs leaked, not just source code,” in a March 22 Twitter post about the alleged Lapsus$ attack on Microsoft.
In a late-breaking announcement on Tuesday, Microsoft addressed the issue and stated that just a single account had been breached by the Lapsus$ attackers (in a long article about the group):
No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.
In Okta’s case, the Lapsus$ attackers had access to the support engineer’s laptop for five days, “between January 16-21, 2022,” according to an unnamed forensics firm that Okta hired to investigate the incident.
The support engineer had access to “limited data,” such as “Jira tickets and lists of users,” as shown in the screenshots published by the attack group. Okta further claimed that the support engineer could reset passwords and multifactor authentication, but lacked the ability to access those passwords.
Okta added that “there are no corrective actions that need to be taken by our customers” and it is currently “contacting those customers that may have been impacted.”