New update, but posted on top of the old public post. Now indicates Okta recognizes a breach officially and has started notified affected organizations.<p><a href="https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/" rel="nofollow">https://www.okta.com/blog/2022/03/updated-okta-statement-on-...</a>
I can't believe these idiots tried playing chicken with a hacker, heads need to roll over this one. They have completely and needlessly destroyed their credibility by trying and completely failing to control the narrative.
I think the flip flopping is hurting them and their users more and more. What was initially a flat denial this morning has resulted in taunts from Lapsus$ on Twitter, Okta was out-scooped by Cloudflare's public investigation. Now they admit a breach affecting 2.5% (roughly 250 orgs based on public data).<p>The webinar tomorrow should be fascinating if they allow questions.
Came back to the blog to view the updated statement. The OktaBot chat widget is showing a lot of self awareness:<p>> Hey there! Back again to check us out? Things must be getting serious!
It's kinda funny and also very very sad that with javascript disabled, the website loads for a split second and then is covered by a fullscreen "Looks like you have Javascript turned off! Please enable it to improve your browsing experience." javascript blocker blocker, but if you delete the element, the page appears to work perfectly fine. It really is the ultimate in "fuck your browsing experience, our marketing spam scripts are the most important thing".
Do I believe the revision? Well, I believe it more than the flat denial, but I doubt the scale. I expect another revision because Okta showed they revise in the light of emerging evidence and experience.
The fact that they didn’t disclose the original breach when they detected it should be cause for any company serious about security to reject Okta as a potential vendor.
Hopefully this Webinar isn't a way to hide the details from anyone who isn't a customer, or hopefully someone in the webinar catalogues all information shared.
LAPSUS$ has already responded on Telegram:<p>'''<p><a href="https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/" rel="nofollow">https://www.okta.com/blog/2022/03/updated-okta-statement-on-...</a><p>I do enjoy the lies given by Okta.<p>1. We didn't compromise any laptop? It was a thin client.<p>2. "Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider." -
I'm STILL unsure how its a unsuccessful attempt? Logged in to superuser portal with the ability to reset the Password and MFA of ~95% of clients isn't successful?<p>4. For a company that supports Zero-Trust. <i>Support Engineers</i> seem to have excessive access to Slack? 8.6k channels? (You may want to search AKIA* on your Slack, rather a bad security practice to store AWS keys in Slack channels )<p>5. Support engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords. -
Uhm? I hope no-one can read passwords? not just support engineers, LOL. - are you implying passwords are stored in plaintext?<p>6. You claim a laptop was compromised? In that case what <i>suspicious IP addresses</i> do you have available to report?<p>7. The potential impact to Okta customers is NOT limited, I'm pretty certain resetting passwords and MFA would result in complete compromise of many clients systems.<p>8. If you are committed to transparency how about you hire a firm such as Mandiant and PUBLISH their report? I'm sure it would be very different to your report :)<p>_________________________________________________________________________________________________________________________________________________________________________________________________________
<a href="https://www.okta.com/sites/default/files/2021-12/okta-security-privacy-documentation.pdf" rel="nofollow">https://www.okta.com/sites/default/files/2021-12/okta-securi...</a><p><i>21. Security Breach Management.
a) Notification: In the event of a Security Breach, Okta notifies impacted customers of such Security Breach. Okta
cooperates with an impacted customer’s reasonable request for information regarding such Security Breach, and Okta
provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken.</i> -<p>But customers only found out today? Why wait this long?<p>9. Access Controls. Okta has in place policies, procedures, and logical controls that are designed:<p>b. Controls to ensure that all Okta personnel who are granted access to any Customer Data are based on leastprivilege principles;<p>kkkkkkkkkkkkkkk<p>1. Security Standards. Okta’s ISMP includes adherence to and regular testing of the key controls, systems and procedures of
its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such
testing includes:
a) Internal risk assessments;
b) ISO 27001, 27002, 27017 and 27018 certifications;
c) NIST guidance; and
d) SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors (“Audit
Report”).<p>I don't think storing AWS keys within Slack would comply to any of these standards?<p>'''