Following a breach of its systems in January, Okta has released a forensic report finding that the threat group Lapsus$ accessed just two active customers via a third-party company. Lapsus$ "actively controlled" a workstation belong to an engineer at support firm Sitel for 25 minutes on January 21st, the company said.
"The threat actor actively controlled a single workstation, used by a Sitel support engineer, with access to Okta resources," wrote Okta chief security officer David Bradbury. "During that limited window of time, the threat actor accessed two active customer tenants within the SuperUser application and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants."
While just two customers were accessed, many more users might have been affected, as Otka has 15,000 customers but over 100 million individual users. Despite the access, though, Lapsus$ was not able to do any MFA or password resets, configuration changes or customer support impersonation, Okta said. "The threat actor was unable to authenticate directly to any Okta accounts."
It took Okta two months to notify customers of the Lapsus$ breach, and eventually released a statement saying it "made a mistake" in how it handled things. In a blog post last month, it revealed that 2.5 percent of its customers may have had their data viewed or acted upon during a five day window.
It now looks like the breach was far more limited in scope, but Okta said it took lessons from the situation. It terminated its relationship with the contractor in question and promised to strengthen audit procedures for others. It's also going to directly manage the devices of third parties with access to customer support tools so it can respond more "effectively" to incidents. Finally, it's adopting new systems to "help us communicate more rapidly with customers" on security issues.