On March 22nd, 2022 the hacking group Lapsus$ published information regarding a security breach at Okta on their behalf. As was later confirmed by Okta, the account of a contract worker for their Customer Support organization was used to access internal systems on January 20th and 21st, 2022 for approximately one hour. During this period the attacker was potentially able to access 2.5% of Okta's customer base with limited privileges.
As an identity and access management company Okta's services may be used by eduGAIN's constituency as well. The company claims that all customers that are possibly affected have been contacted directly. However, if You're an Okta customer the eduGAIN Security team recommends to:
- examine Okta related logs for malicious activity
- contact Okta to clarify, whether You are impacted by the incident and which additional measures are advised
If You need help assessing the incident or need some proxy for the communication with Okta, please contact the eduGAIN Security Team, as per https://edugain.org/edugain-security/.
References
Okta develops cloud-based software solutions for identity and authentication management (Identity as a Service, IDaaS) used by many large organizations.
https://www.okta.com/
Lapsus$ is a hacking group specialized on digital extortion of data from high profile organizations. Since December 2021 they claimed responsibility for breaches of companies like NVIDIA, Samsung, Microsoft and now Okta.
Okta's public response to the incident
https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/
https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/
discussion on twitter
https://twitter.com/_MG_/status/1506109152665382920