The only winner in the Okta Lapsus$ breach is Microsoft

With no extra data from Okta in days, it seems the id safety agency is simply ready for the information of the Lapsus$ breach to go away.

It in all probability will, however this hasn’t occurred as shortly as Okta may need preferred. And never almost as quickly because it did for Microsoft, essentially the most quick prior sufferer of the Lapsus$ hacker group (and a high id safety competitor of Okta).

Largely, the breach and leak of Microsoft’s supply code by Lapsus$ didn’t keep within the information cycle for as lengthy as a result of it wasn’t as important. Although Lapsus$ claims to have leaked 37 GB of Microsoft information, buyer information was not concerned, in accordance with Microsoft.

Then again, within the Okta incident, as much as 366 Okta prospects might have been impacted. Okta has mentioned that third-party help supplier Sitel was breached for 5 days in January, and a pair of.5% of it buyer base might have been affected, making this a a lot bigger breach than the Microsoft incident.

However Lapsus$ itself helped issues for Microsoft, by leaking screenshots from its breach of the Okta contractor simply two hours after posting what it claimed to be Microsoft supply code for companies together with Bing. (Lapsus$ had earlier posted, and deleted, a declare that it had breached Microsoft. However the information on the Microsoft breach nonetheless solely dominated for a day.)

Anyway, the very fact stays that everybody moved on from Microsoft to Okta as soon as the Lapsus$ screenshots went up on Telegram late Monday night time.

“The largest winner on this scenario is arguably Microsoft, as a result of Lapsus$ posting 37 GB of their information has largely been eclipsed within the information by the potential Okta breach,” mentioned Ronen Slavin, cofounder and CTO at software program provide chain safety agency Cycode, in an e-mail to VentureBeat.

In the meanwhile, Lapsus$ says it has ended its leaks — or been compelled to by legislation enforcement actions — with the screenshots from the Sitel breach. Leaving Okta alone within the highlight.

No payday

What did Lapsus$ get out of it? Reportedly, the arrest of seven of its teenage members. And no clear payday. No monetary calls for had been really made, and publicizing the breach would appear to restrict the group’s probabilities of monetizing any entry it acquired into Okta buyer programs.

Okta, in the meantime, could possibly be coping with the fallout for some time, each from a share price perspective and on account of lingering buyer considerations. Plenty of unanswered questions stay (a few of that are listed beneath), and Okta’s dealing with of the incident has sparked main debate.

For example, Okta CSO David Bradbury’s personal post on LinkedIn has become a discussion board for such debate — with many criticizing Okta, and lots of others defending the corporate, within the feedback part.

Okta has declined to remark when contacted by VentureBeat this week.

What follows are a few of the remaining unanswered questions, collected from sources together with feedback to VentureBeat; a Twitter thread from well-known cybersecurity marketing consultant Jake Williams; and an “Open Letter to Okta” posted by Amit Yoran, CEO of cyber agency Tenable and an Okta buyer.

• How had been prospects impacted? Buyer information “might have been seen or acted upon,” Bradbury mentioned in a weblog submit. However Okta has not disclosed something extra particular.
• What occurred from January 16-20? Okta’s timeline begins at January 20, at 23:18 UTC. However Lapsus$ was capable of entry the third-party help engineer’s laptop computer from January 16-21, in accordance with Okta. That leaves the primary few days of the breach to date unaccounted for.
• Why is Okta defining the blast radius of the assault on this method? The 366 prospects which will have been impacted by the Lapsus$ breach signify all of the Okta prospects that Sitel had entry to in the course of the five-day interval in January, Okta says. However since solely a single engineer was compromised, in accordance with Okta, it’s unclear why the blast radius has not been restricted to what that particular person accessed.
• What did Okta know in regards to the breach, and when? “Okta’s investigation started Jan 20, NOT Mar 10 as they appear to indicate,” Williams said on Twitter. “Did Okta actually go from Jan 21-Mar 10 with no new actionable data from Sitel?”
• When and the way would Okta have notified prospects, if Lapsus$ hadn’t posted screenshots? (by way of Williams)
• Why did the preliminary statements from Okta indicate that there was no affect on prospects? Bradbury’s preliminary assertion mentioned that “the Okta service has not been breached … There are not any corrective actions that must be taken by our prospects.” That was later amended to disclose that as much as 366 prospects might have had information “seen or acted upon.” (“Please clarify the contradiction in preliminary affect statements over what’s being communicated now,” Williams mentioned on Twitter.)
• Why didn’t Okta present actionable data to prospects? “If you had been outed by LAPSUS$, you dismissed the incident and failed to offer actually any actionable data to prospects,” Yoran wrote. “LAPSUS$ then known as you out in your obvious misstatements. Solely then do you establish and admit that 2.5% (lots of) of consumers’ safety was compromised. And nonetheless actionable element and suggestions are nonexistent.”
• Why did Okta characterize its evaluation of 125,000 log entries as notably significant? “Over the previous 24 hours now we have analyzed greater than 125,000 log entries to determine what actions had been carried out by Sitel in the course of the related interval,” Bradbury mentioned. Nonetheless, “anybody within the area” is aware of that this does imply that people analyzed all the entries, Williams wrote. “I imagine the quantity is there to mislead laypeople. Disgrace.”