Now to follow up on Okta again.
First, the company has apologized for not telling customers sooner about their breach. QUOTE “We want to acknowledge that we made a mistake. Sitel is our service provider, for which we are ultimately responsible. In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third-party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel,”
The disclosures to customers happened after Lapsus$ bragged about the breach. The company maintains that only 366 customers are impacted.
A leaked post-mortem report from Mandiant tells more detail about the security lapses. Top among those is a Microsoft Excel spreadsheet named “DomAdmins-LastPass.xlsx,” which the Lapsus$ attacker found on a computer system at Sitel-owned Sykes Enterprises, which provides outsourced customer support for Okta. The file name indicates that credentials stored in the LastPass may have been exported to an Excel spreadsheet.
It also reveals the Lapsus$ hackers had QUOTE “little regard for OPSEC” END QUOTE, used the credentials to create backdoor users, used off-the-shelf tools from open-source code repository Github for most of their attacks, and set up email forwarding for all messages within Sitel, to accounts controlled by the attacker. The group had access over a five-day window from January 16th to 21th.
Why do we care?
Cause leaving the DomainAdmin passwords in an exported Excel file seems bad. On the flip side, the hackers were not necessarily as sophisticated as previously thought.
Scary when the company in question is the security gatekeeper for other companies.
And that’s my takeaway. If you’re making claims about being a security company… you sure had better back that up with operational excellence. It’s one thing to be an end-customer who gets breached. There are very different sets of expectations the moment you claim to be in the security business.
And there are a lot of companies in technology now claiming to be security ones. Be very sure before you make that claim… and be sure you can maintain it.