Okta confirms January breach after hackers publish screenshots of its internal network

Identity giant Okta has confirmed a January security incident after hackers posted screenshots overnight apparently showing access to the company’s internal systems.

The Lapsus$ hacking group published several screenshots to its Telegram channel purporting to show internal Okta applications, Jira bug ticketing system, and the company’s Slack on January 21. Lapsus$ claimed it did not steal data from Okta, and that its focus was on targeting Okta customers.

Okta is used by thousands of organizations and governments worldwide as a single sign-on provider, allowing employees to securely access a company’s internal systems, such as email accounts, calendars, applications and more.

Okta chief executive Todd McKinnon confirmed the breach in a tweet thread overnight on March 22: “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.”

“We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Okta has not yet named the subprocessor, and has not yet responded to TechCrunch’s questions about the breach.

In an updated statement, Okta’s chief security officer David Bradbury said the compromise was with one of Okta’s third-party providers over a five-day window between January 16-21, 2022. Forbes is reporting that the company in question is Sykes, a company acquired by Sitel Group in July 2021. In a brief statement, Sitel said it was “confident there is no longer a security risk,” but declined to comment on its relationship with its customers, and did not immediately answer our questions.

Security researcher Bill Demirkapi said that the screenshots contain several artifacts that suggest the hackers may have used Sykes’ remote access tools and VPN to gain access to Okta’s network.

Lapsus$ has targeted several big-name companies in recent weeks, including Nvidia and Samsung. Just this week Microsoft said it was investigating a possible security breach. According to Wired, the group focused on Portuguese-language targets, including Portuguese media giant Impresa, and the South American telecom companies Claro and Embratel.

If you know more about the Okta breach or work at the company, get in touch with the security desk on Signal at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.