Authority and access management provider Okta said Tuesday that it had concluded its investigation into the breach by a third party vendor late January 2022 under the LAPSUS$ extortionist group.
Stating that the “impact of the incident was significantly less than the maximum potential impact” the company had previously shared last month, Okta said the intrusion impacted only two customer tenants, down from 366 as was initially assumed.
The security event took place on January 21 when the LAPSUS$ hacking group gained unauthorized remote access to a workstation belonging to a Sitel support engineer. It was only two months after the attacker posted images of Okta’s internal systems to Telegram, that it became known.
In addition to accessing the SuperUser app, which allows customers to log in and out of the application to manage basic functions, the hackers group may have seen limited information from other apps like Jira or Slack to corroborate previous reports.
“Control lasted for 25 consecutive minutes on January 21, 2022,” David Bradbury, Okta’s chief security officer, said. The threat actor could not perform configuration modifications, password resets or support events such as MFA and password resets. “
“The threat actor was unable to authenticate directly to any Okta accounts,” Bradbury added.
Okta has been criticized for not disclosing the incident in time and how it handled it. It stated that Sitel had ended its relationship and it was making modifications to its customer service tool to limit information Sitel technical support engineers can see. “