Okta, an identity authentication service with more than 15,000 customers, said Tuesday that an attacker had access to a support engineer’s laptop for five days in January. But the service itself was not breached, according to the company.
The Okta service that customers use to authenticate logins “has not been breached and remains fully operational,” Okta Chief Security Officer David Bradbury said in a blog post Tuesday.
“The potential impact to Okta customers is limited to the access that support engineers have,” Bradbury said, adding that these engineers are unable to download customer databases or create or delete users. “Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.”
The new details came hours after Okta said it was investigating reports of a possible digital breach. Reuters first reported that Okta was looking into reports of a possible digital breach after a hacking group known as Lapsus$ claimed responsibility for the incident and published screenshots claiming access to an Okta internal administrative account and the firm’s Slack channel.
Lapsus$, a mysterious hacking group that emerged in December, claimed on the messaging app Telegram that it did not steal any databases from Okta itself, but that “our focus was ONLY on Okta customers.”
Okta CEO Todd McKinnon tweeted early Tuesday morning that the firm believes those screenshots are related to the security incident in January that was contained.
Bradbury said that the firm is “actively continuing our investigation, including identifying and contacting those customers that may have been impacted.”
Lapsus$ has claimed to have stolen data from several high-profile corporate victims since December. The group began by focusing on Latin American victims and some security researchers suspect the group is based in Latin America.
But much about the group is a mystery. There is no evidence that the hackers have used ransomware to try to extort the victims, according to a March 17 analysis by cybersecurity firm Digital Shadows. The group appears to have tried to recruit rogue employees at companies who would be willing to cough up passwords to help with the hacks, Digital Shadows analysts said.
Lapsus$ has gone out of its way on its Telegram channel to emphasize that it is “not state sponsored” and that its “only goal is money.”
Shares of Okta were down nearly 8% in premarket trading Tuesday but later recovered much of those losses.