There's been another development in the Lapsus$ saga

Hacker Typing
(Image credit: Shutterstock)

The identity management software (opens in new tab) firm Okta (opens in new tab) has admitted that it made a mistake in the way in which it handled an attack on one of its suppliers by the data extortion hacking group Lapsus$ (opens in new tab).

In a recently published FAQ (opens in new tab), the company provided a full timeline of the incident beginning on January 20 when it first learned that “a new factor was added to a Sitel employee’s Okta account from a new location”. For those unfamiliar, Okta uses Sitel to provide some customer support services to its users.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.

>> Click here to start the survey in a new window (opens in new tab) <<

While the attempt to add a new factor was unsuccessful, Okta still went ahead and reset the account in question and notified Sitel regarding the matter by sharing “indicators of compromise” with the company. From here, Sitel informed Okta that it had “retained outside support from a leading forensic firm”.

According to Okta, the company's mistake involved believing that Sitel had shared all of the information it had on the incident and letting Sitel's forensic firm carry out its own investigation. Instead, Okta should have pressed Sitel for more information as the company is its service provider for which it is ultimately responsible.

Investigation results

The forensics firm hired by Sitel delivered its report to the customer support company on March 10 but it wasn't until a week later on March 17 that Okta received a summary report about the incident from Sitel.

A few days later though, Lapsus$ published screenshots on its Telegram (opens in new tab) channel claiming that they depicted Okta’s company environment, including internal tickets and in-house Slack (opens in new tab) chats. It was on this same day that Okta finally received the full report commissioned by Sitel which concluded that there was a “five-day period between January 16-21, where an attacker had access to Sitel”.

Okta provided further details on the incident itself and how it would respond now with all of the information in hand in its FAQ, saying:

“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel. In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”

While Okta says that it is confident that its own service has not been breached, the Lapsus$ group is likely gearing up to hit another big name target soon despite the fact that seven of its potential operatives (opens in new tab) were recently arrested in London.

Via The Register (opens in new tab)

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.