Okta Shares Investigation Update - 2022-03-24
Okta Shares Investigation Update - 2022-03-24
Okta provided an update on the company blog regarding their security breach by Lapsus$. Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes. The screenshots shared from Lapsus$ are determined to have been obtained through remote desktop (RDP) access to a Sitel support engineer's workstation. Despite the support engineer's privileges identified as "SuperUser," Okta emphasizes the role "has limited to basic duties in handling inbound support queries." The forensic investigation conducted by Sitel and a third-party-security firm, extensively reviewed activity from "January 16-21, 2022 when the threat actor had access to the Sitel environment." From Okta, their investigation was triggered from an event on January 20, 2022, at 23:18 UTC with an alert for "a new factor was added to a Sitel employee’s Okta account from a new location." The associated Okta account was contained by Okta on January 21st, 2022 at 00:18 UTC. An incident timeline has been provided by Okta (below) dating the notable events from January 20th, 2022 to March 22nd, 2022 with Lapsus$ claiming a breach via screenshot.