Identity and access management firm Okta said reports of a possible breach of its systems are connected to a hack earlier this year that has already been contained. The company confirmed later in the day that Okta services were not hacked and they remain "fully operational."
Hacker group Lapsus$, which is behind recent attacks on Nvidia and Samsung, posted screenshots on its Telegram channel Monday evening saying the photos are from its access to “Okta.com Superuser/Admin and various other systems.” The ransomware group said its focus was “ONLY on Okta customers.”
The screenshots included on Lapsus$’s Telegram channel are dated Jan. 21 of this year, but the hackers claim to have had access to the accounts for two months.
The company doesn’t think the incident is new. Okta said it began investigating reports of a possible hack early Tuesday morning, according to Reuters. Okta told Protocol that the screenshots shared online are tied to a hack in January, when the account of a third-party customer support engineer was compromised. That incident has been contained, Okta said.
“Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” a spokesperson told Protocol.
Okta Chief Security Officer David Bradbury said in a statement on Tuesday that the company is continuing its investigation into the incident from January, and Auth0, HIPAA and FedRAMP customers were not impacted by it.
"The potential impact to Okta customers is limited to the access that support engineers have," Bradbury said. "These engineers are unable to create or delete users, or download customer databases."
If the hackers did, in fact, still have access to Okta’s systems, the incident could have huge ramifications for Okta customers. The company's customer list includes media organizations, universities, government agencies and large tech companies such as Peloton, T-Mobile and Grubhub.
Lapsus$ has claimed responsibility for several recent incidents involving Nvidia, Microsoft and Ubisoft. Earlier this month, the hacking group breached Samsung’s data and stole the source code for the Galaxy smartphone. Separately, Microsoft is investigating claims that Lapsus$ compromised internal Azure DevOps services and leaked source code for Bing, Cortana and others.
Experts told Reuters that even though Okta believes the incident has been contained, customers should still be on high alert. Security researcher Bill Demirkapi said the screenshots appear to be “credible,” and cybersecurity leader Dan Tentler said customers should be “very vigilant right now."
This story was updated with additional information from Okta.