The only winner in the Okta Lapsus$ breach is Microsoft

With no additional information from Okta in days, it appears the identity security firm is just waiting for the news of the Lapsus$ breach to go away.

It probably will, but this hasn’t happened as quickly as Okta might have liked. And not nearly as rapidly as it did for Microsoft, the most immediate prior victim of the Lapsus$ hacker group (and a top identity security competitor of Okta).

In large part, the breach and leak of Microsoft’s source code by Lapsus$ did not stay in the news cycle for as long because it wasn’t as significant. Though Lapsus$ claims to have leaked 37 GB of Microsoft data, customer data was not involved, according to Microsoft.

On the other hand, in the Okta incident, up to 366 Okta customers may have been impacted. Okta has said that third-party support provider Sitel was breached for five days in January, and 2.5% of it customer base may have been affected, making this a much larger breach than the Microsoft incident.

But Lapsus$ itself helped matters for Microsoft, by leaking screenshots from its breach of the Okta contractor just two hours after posting what it claimed to be Microsoft source code for services including Bing. (Lapsus$ had earlier posted, and deleted, a claim that it had breached Microsoft. However, the news on the Microsoft breach still only dominated for a day.)

Anyway, the fact remains that everyone moved on from Microsoft to Okta once the Lapsus$ screenshots went up on Telegram late Monday night.

“The biggest winner in this situation is arguably Microsoft because Lapsus$ posting 37 GB of their data has largely been eclipsed in the news by the potential Okta breach,” said Ronen Slavin, cofounder and CTO at software supply chain security firm Cycode, in an email to VentureBeat.

For the time being, Lapsus$ says it has ended its leaks — or been forced to by law enforcement actions — with the screenshots from the Sitel breach. Leaving Okta alone in the spotlight.

No payday

What did Lapsus$ get out of it? Reportedly, the arrest of seven of its teenage members. And no clear payday. No financial demands were actually made, and publicizing the breach would seem to limit the group’s chances of monetizing any access it acquired into Okta customer systems.

Okta, meanwhile, could be dealing with the fallout for a while, both from a share price perspective and as a result of lingering customer concerns. A number of unanswered questions remain (some of which are listed below), and Okta’s handling of the incident has sparked major debate.

For instance, Okta CSO David Bradbury’s own post on LinkedIn has turned into a forum for such debate — with many criticizing Okta, and many others defending the company, in the comments section.

Okta has declined to comment when contacted by VentureBeat this week.

What follows are some of the remaining unanswered questions, collected from sources including comments to VentureBeat; a Twitter thread from well-known cybersecurity consultant Jake Williams; and an “Open Letter to Okta” posted by Amit Yoran, CEO of cyber firm Tenable and an Okta customer.

• How were customers impacted? Customer data “may have been viewed or acted upon,” Bradbury said in a blog post. But Okta has not disclosed anything more specific.
• What happened from January 16-20? Okta’s timeline starts at January 20, at 23:18 UTC. But Lapsus$ was able to access the third-party support engineer’s laptop from January 16-21, according to Okta. That leaves the first few days of the breach so far unaccounted for.
• Why is Okta defining the blast radius of the attack in this way? The 366 customers who may have been impacted by the Lapsus$ breach represent all the Okta customers that Sitel had access to during the five-day period in January, Okta says. But since only a single engineer was compromised, according to Okta, it’s unclear why the blast radius has not been limited to what that individual accessed.
• What did Okta know about the breach, and when? “Okta’s investigation began Jan 20, NOT Mar 10 as they seem to imply,” Williams said on Twitter. “Did Okta really go from January 21-March 10 with no new actionable information from Sitel?”
• When and how would Okta have notified customers, if Lapsus$ hadn’t posted screenshots? (via Williams)
• Why did the initial statements from Okta imply that there was no impact on customers? Bradbury’s initial statement said that “the Okta service has not been breached … There are no corrective actions that need to be taken by our customers.” That was later amended to reveal that up to 366 customers may have had data “viewed or acted upon.” (“Please explain the contradiction in initial impact statements over what is being communicated now,” Williams said on Twitter.)
• Why didn’t Okta provide actionable information to customers? “When you were outed by LAPSUS$, you brushed off the incident and failed to provide literally any actionable information to customers,” Yoran wrote. “LAPSUS$ then called you out on your apparent misstatements. Only then do you determine and admit that 2.5% (hundreds) of customers’ security was compromised. And still actionable detail and recommendations are nonexistent.”
• Why did Okta characterize its analysis of 125,000 log entries as particularly meaningful? “Over the past 24 hours we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period,” Bradbury said. However, “anyone in the field” knows that this does mean that humans analyzed all of the entries, Williams wrote. “I believe the number is there to mislead laypeople. Shame.”

Update: Following the publishing of this post, Okta posted an FAQ on its website on Friday that touches on several of these questions.