Following the conclusion of its investigation into a January security breach, Okta on Wednesday said the incident was “significantly smaller” in scope than previously thought. The breach, in which hackers were able to access the laptop of a third-party customer support engineer, lasted just 25 minutes and impacted just two active customer tenants.
The incident occurred on January 21, when the Lapsus$ hacking group had remote access to a laptop of a Sitel customer support engineer. The breach came to light on March 22, when the hacking group published screenshots of Okta’s systems.
Based on the final forensic report of an unnamed “globally recognized cybersecurity firm,” the group had control of a single workstation, used by a Sitel support engineer with access to Okta resources. During the 25 minutes when they had control of the workstation, the threat actor accessed two active customer tenants within the SuperUser application. They also viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.
Okta said the threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support “impersonation” events. They were also unable to authenticate directly to