2022-03-2022: Initial Story: Okta Potential Data Breach

Industry: Technology | Level: Tactical | Source: TheVerge

Okta authentication provider is investigating claims of a data breach from data extortion group Lapsus$. The threat group's Telegram channel claims to have access to Okta's systems for two months with "Superuser/Admin" privileges. The group’s focus was mentioned to be on “only on Okta customers.” Reported by The Verge, an Okta spokesperson Chris Hollis speculates the incident to be tied to a third-party incident, stating “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors. The matter was investigated and contained by the subprocessor.” Chris Hollis did not offer any additional insight as the matter is continuing to be investigated.

Detection Content

The Anvilogic team has identified new detection content for Okta platform and has shared them in the platform. We encourage customers to download the new (and existing) threat identifiers to ensure comprehensive threat coverage.

• Okta Company Blog: https://www.okta.com/blog/

• [New] Anvilogic Use Cases:
• Okta: Security Threat Detected
• Okta: API Token Created
• Okta: User/Group Privilege Grant
• Okta: Application Modified or Deleted
• Okta: Update or Delete sign on policy
• Okta: MFA Reset or Deactivated
• Okta: Policy Modified or Deleted
• Okta: Policy Rule Modified or Deleted
• [Existing] Anvilogic Use Cases
• Okta Multiple signins from Same IP address
• Okta Impossible Travel Sign-In
• Okta: Auth from Suspicious Country
• Okta: Profile Updated
• Okta: User Created