Since yesterday, Okta has released two important updates. Firstly, an updated statement on the breach, and then an investigation timeline on how the attack has unfolded since January 20 2022.
Okta has now released an updated official statement which you can read in full above. Importantly, the statement says: “After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email”
“The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data – for example, Jira tickets and lists of users – that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.”
To summarise, 366 Okta customers were impacted by this attack. This could have included visibility of Jira tickets, lists of users, resetting passwords, and resetting multi-factor authentication factors. If you were one of the 366 customers impacted by this, Okta claims to have already reached out via email.
Okta has also released an entire timeline of the attack that occurred on January 20 2022, which can be read in full above.
A new MFA factor was added to a Sitel employees Okta account from a new location at 23:18 and was investigated by Okta Security at 23:46. At 00:28 the Okta Service desk terminated the user’s Okta sessions and suspended the account.
At 18:00 Okta Security shared IOC’s with Sitel and Sitel advised they had a forensic firm on retainer. The Forensic firm’s investigation then took place between January 21 2022 and February 28 2022, with a report provided to Sitel on March 10 2022. Okta then received a summary of this report on March 17 2022.
Yesterday (March 22 2022) at 03:30, LAPSUS$ group shared 8 screenshots online appearing to show internal access to Okta’s systems. Okta at 05:00 determined the screenshots were related to the January Sitel incident. At 12:27, Okta finally received the full incident report from Sitel.
Further on in the report, Okta says: “The report from the forensic firm highlighted that there was a five-day window of time between January 16-21, 2022 when the threat actor had access to the Sitel environment, which we validated with our own analysis.
In trying to scope the blast radius for this incident, our team assumed the worst case scenario and examined all of the access performed by all Sitel employees to the SuperUser application for the five-day period in question. Over the past 24 hours we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 (approximately 2.5% of) customers whose Okta tenant was accessed by Sitel.
Because of the access that the support engineers had, the information and the actions were constrained. While it is not a necessary step for customers, we fully expect they may want to complete their own analysis. For transparency, these customers will receive a report that shows the actions performed on their Okta tenant by Sitel during that period of time. We think this is the best way to let customers assess the situation for themselves.”
Further to the recommendations from yesterday, if you are an Okta customer:
- If you have been impacted by this attack, Okta have said that they will contact you directly. This contact should include any activity which occurred on your network from a Sitel engineer.
- Ensure that the Okta support agent is disabled as it isn’t by default. To do this go to your Okta Admin Console > Settings > Account > Give Access to Okta Support and click disable.