Okta Looking Into Customer Data Breach Claims by Lapsus$

Okta company logo outside their headquarters

Popular identification service provider Okta said it is looking into claims that the Lapsus$ ransomware group breached their customer data systems. Okta provides authentication management services to over 15,000 customers, including Siemens, ITV, Pret a Manger, and Starling Bank.

A potential breach could have major consequences for its customers. However, Okta has denied any ongoing malicious campaigns against the company.

Details of Okta’s Alleged Data Breach

Earlier today, the Lapsus$ ransomware gang posted screenshots of what it claims is Okta customer data on its Telegram channel.

Taking a swipe at Okta, the group said: “For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) i think these security measures are pretty poor.”

The group says it gained “superuser/admin” level access to okta.com, from where it exfiltrated customer data. Lapsus$ added that it did not steal or access databases from Okta, but that Okta’s customers were its targets. Furthermore, the shared screenshots show the system data as of Jan. 21 — which could mean that the breach took place a few months ago.

Okta Says Screenshots are from an Earlier Incident

An Okta spokesperson confirmed that the company is aware of the Lapsus$ group’s claims, and is investigating the matter. The company said it will provide public updates as more details come to light. However, the company believes the shared data is from an incident dating back to January 2022. Okta CEO, Todd McKinnon, confirmed the same on Twitter.

“In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor,” McKinnon said.

“We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” he added.

Lapsus$ Ransomware Group Continues to Strike

Lapsus$ group has been extremely active this year, going after some of the biggest corporations in the tech world. This includes Nvidia, Samsung, and Impressa. Earlier this week the group claimed it breached Microsoft and released 37 GB of the company’s source code.

Typically, after gaining access to a victim’s network, Lapsus$ steals and holds on to data such as source code, customer lists, and databases. Following this, it threatens to release this proprietary information unless the victim pays a ransom.

Many details regarding the alleged Okta data breach remain unclear. Furthermore, there is very little we know about the extent of the attack, and the number of impacted customers. Okta offers its services to various companies, universities, and government agencies around the world.

If this story piqued your interest, we recommend checking out our detailed guide on ransomware.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.