Single sign-on provider Okta data breach could lead to further major intrusions

On Monday, Lapsus$ posted screenshots that it claimed showed the environment of Okta's corporate network. The screenshots included elements showing Slack channels as well as an interface with Cloudflare, among other services.

The hacking group also posted a message saying its focus was "only on Okta customers." With Okta providing single-sign-on services for many corporate clients, this could potentially mean the group was working to try and secure access to other targets that used Okta on their corporate network, resulting in further breaches.

Chris Hollis, an official at Okta, said the company "believe the screenshots shared online are connected" to an incident in January. That incident involved an attempt to compromise a third-party customer support engineer's account, Hollis told Reuters.

"Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January," Hollis continued.

Security experts told the report they believe the screenshots are genuine. However, it is unclear if the images were created after the known January incident.

Okta offers single-sign-on and authentication services, enabling employees of corporate clients to sign into multiple services with minimal fuss. This includes the Okta Mobile app for iPhone and iPad, enabling SSO through the Okta Identity Management Service using Face ID.

As Okta has around 15,000 clients, including major organizations, educational institutions, and government agencies, cybersecurity firm Phobos Group founder Dan Tentler advises customers to be "very vigilant right now" about any potential threats to security.

The Okta breach details surface on the same day as another alleged Lapsus$ intrusion, involving the leaking of gigabytes of Microsoft source code. The group was previously linked to breaches of Samsung and Nvidia, among others.