Lapsus$ found a spreadsheet of accounts as they breached Okta, documents show

The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported.

Customers only learned of Okta’s January security breach on March 22 after the Lapsus$ hacking group published screenshots revealing it had accessed Okta’s internal apps and systems some two months earlier. Okta admitted the compromise in a blog post, and later confirmed 366 of its corporate customers are affected by the breach, or about 2.5% of its customer base.

The documents provide the most detailed account to date of the Sitel compromise, which allowed the hackers to later gain access to Okta’s network.

Okta is used by thousands of organizations and governments worldwide as a single sign-on provider, allowing employees to securely access a company’s internal systems, such as email accounts, applications, databases and more.

The documents, obtained by independent security researcher Bill Demirkapi and shared with TechCrunch, include a Sitel customer communication sent on January 25 — more than a week after hackers first compromised its network — and a detailed timeline of the Sitel intrusion compiled by incident response firm Mandiant dated March 17 that was shared with Okta.

According to the documents, Sitel said it discovered the security incident in its VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021. VPNs, or virtual private networks, are often a target for attackers since they can be exploited to remotely access a company’s network.

The timeline details how the attackers used remote access services and publicly accessible hacking tools to compromise and navigate through Sitel’s network, gaining deeper visibility to the network over the five days that Lapsus$ had access. Sitel said that its Azure cloud infrastructure was also compromised by hackers.

According to the timeline, the hackers accessed a spreadsheet on Sitel’s internal network early on January 21 called “DomAdmins-LastPass.xlsx.” The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee’s LastPass password manager. Sitel spokesperson Matt Jaffe did not dispute this characterization when reached by TechCrunch prior to publication, but instead declined to comment. A day after publication, Sitel said in a statement that the spreadsheet “simply listed account names from legacy Sykes but did not contain any passwords,” but did not offer any evidence for this claim.

About five hours later, the hackers created a new Sykes user account and added the account to a user group called “tenant administrators,” which have broad access to the organization, likely to create a “backdoor” account to Sitel’s network that the hackers could use if they were later discovered and locked out. The Lapsus$ hackers were compromising Okta’s network at around the same time, according to Okta’s timeline of events.

The timeline shows that the hackers last accessed Sitel’s network on January 21 at 2 p.m. (UTC), around 14 hours after accessing the spreadsheet. Sitel issued a company-wide password reset to try to lock out the attackers.

Okta has faced criticism for not warning customers sooner of the Sitel breach following its receipt of Mandiant’s report dated March 17. Okta chief security officer David Bradbury said the company “should have moved more swiftly to understand its implications.”

Okta was unable to comment when reached prior to publication. Mandiant also did not dispute the contents of the reports but declined to comment.

Okta is just one of several big-name companies targeted by the Lapsus$ hacking and extortion group in recent months. The Lapsus$ group first emerged on the hacking scene in December after targeting Brazil’s Ministry of Health in a cyberattack that stole 50 terabytes of data, including citizens’ vaccination information. Since then, the gang has targeted several Portuguese-language companies, as well as Big Tech giants including Samsung, Nvidia, Microsoft and Okta, touting its access and stolen data to the tens of thousands of subscribers of its Telegram channel, while often making unusual demands in exchange for not publishing their victims’ stolen files,

U.K. police said last week they had arrested seven people connected to the incidents, all aged between 16 and 21.

Updated headline with comment from Sitel’s comment, sent a day after publication.


If you know more about the breach or work at Okta or Sitel, get in touch with the security desk on Signal at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.