Identity giant Okta has confirmed a January network breach after hackers posted screenshots overnight apparently showing access to the company’s internal systems.
The Lapsus$ hacking group published several screenshots to its Telegram channel purporting to show internal Okta applications on January 21. Lapsus$ claimed it did not steal data from Okta, and that its focus was “only” on Okta customers.
Okta is used by thousands of organizations and governments worldwide as a single sign-on provider, allowing employees to securely access a company’s internal systems, such as email accounts, calendars, applications and more.
Okta chief executive Todd McKinnon confirmed the breach in a tweet thread overnight on March 22: “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.”
“We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”
McKinnon did not name the subprocessor. Okta has not yet responded to TechCrunch’s questions about the breach.
TechCrunch could not immediately verify the authenticity of the screenshots posted by Lapsus$. Security researcher Bill Demirkapi said that the screenshots contain several artifacts that suggest the hackers may have used a VPN to gain access to Okta’s network.
Lapsus$ has targeted several big-name companies in recent weeks, including Nvidia and Samsung. Just this week Microsoft said it was investigating a possible security breach. According to Wired, the group focused on Portuguese-language targets, including Portuguese media giant Impresa, and the South American telecom companies Claro and Embratel.
If you know more about the Okta breach or work at the company, get in touch with the security desk on Signal at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.