Okta Has a Problem

Okta, the Identity and Access Management platform has a huge problem on its hands. The company, used by thousands of organizations around the world, has been compromised by Lapus$, a (likely) Brazillian-based digital-extortion gang.

To make matters worse, Lapus$ compromised an Okta corporate super-user account way back in January, and the world’s only finding out about it now, just over two months later.

What happened?

Nobody is completely sure. Okta is remaining pretty tight-lipped.

Based on a statement released by Todd McKinnon, Okta’s CEO, the breach happened after an engineering subcontractor was targeted and exploited by Lapus$. This gave the extortion group access to every service Okta uses behind the scenes.

According to McKinnon the unusual activity was noticed almost immediately and contained, but Lapus$ seems to be indicating otherwise (without offering any proof, unfortunately).

What should you do?

If you’re an Okta user? Head for the hills, running and screaming while your arms flail wildly above your head.

Okay, don’t do that. That doesn’t help anybody. On a more helpful note, our business partner, Cloudflare (an Okta customer themselves) has offered some pretty good advice:

1. Enable MFA for all user accounts. Passwords alone do not offer the necessary level of protection against attacks. We strongly recommend the usage of hard keys, as other methods of MFA can be vulnerable to phishing attacks.
2. Investigate and respond:
   a. Check all password and MFA changes for your Okta instances.
   b. Pay special attention to support initiated events.
   c. Make sure all password resets are valid or just assume they are all under suspicion and force a new password reset.
   d. If you find any suspicious MFA-related events, make sure only valid MFA keys are present in the user's account configuration.
3. Make sure you have other security layers to provide extra security in case one of them fails.

While that advice is offered in direct relation to the Okta breach, it’s pretty good advice for anybody using an IAM platform in general. Heck, it’s good advice for everybody. Good password hygiene is important. Multi-factor authentication is important. These are the things everyone should be implementing across the board to keep their environment(s) safe from digital intruders whose main goal is to completely ruin your day, if not your life.

Remember, you’re only as strong as the weakest link in your chain. Don’t let something like this happen to you. It’s easily preventable.