Okta has revealed that just two of its customers were affected by an incident in January in which threat actors compromised a third-party vendor’s workstation.
The authentication specialist completed its investigation into the events that took place between January 16 and 21 this year, when it was believed that a hacker from the Lapsus$ group gained access to back-end systems.
Previously, Okta estimated that 366 customers may have had their tenants accessed by the attackers via a Sitel support engineer’s machine.
However, in an update yesterday, Okta CSO David Bradbury said that just two customers were impacted, with the attackers having access to the workstation for only 25 minutes.
“During that limited window of time, the threat actor … viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” he continued.
“The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support ‘impersonation’ events. The threat actor was unable to authenticate directly to any Okta accounts.”
The findings would seem to end speculation that the incident enabled Lapsus$ to compromise multiple big-name tech brands in a short time, stealing and leaking sensitive IP and source code.
It remains to be seen how these organizations were compromised, although one theory is that Lapsus$ paid insiders to provide access.
Okta has taken several steps to restore trust with its customers, including terminating its relationship with Sitel and requiring all “sub-processor” partners to adopt Zero Trust architectures and use Okta’s IDAM solution for their workplace apps.
It will also be limiting what technical support engineers can view in its customer support tool and will directly manage all third-party vendor devices that access customer support tools.
It’s hoped that the latter step will speed incident response measures and ensure the firm can provide greater transparency and certainty to customers early on in the response cycle.