Security News > 2022 > March > Okta names contractor involved in Lapsus$ gang’s attack

Okta has released additional details about the security incident caused by the Lapsus$ gang, and has named the contractor involved: Sitel.

"Like many SaaS providers, Okta uses several companies to expand our workforce. These entities help us to deliver for our customers and make them successful with our products. Sitel, through its acquisition of Sykes, is an Okta sub-processor that provides Okta with contract workers for our Customer Support organization," explained David Bradbury, Okta's chief security officer.

He also provided a timeline of the incident, and said that it started on January 20 with an unsuccessful attempt to access a Sitel customer support engineer's Okta account.

On January 21, "The Okta Service Desk terminated the user's Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated," and on March 22, the company received a report of the investigation conducted by a forensic firm employed by Sitel.

"In trying to scope the blast radius for this incident, our team assumed the worst-case scenario and examined all of the access performed by all Sitel employees to the SuperUser application for the five-day period in question. Over the past 24 hours we have analyzed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 customers whose Okta tenant was accessed by Sitel," he added.

Affected customers will receive a report that shows the actions performed on their Okta tenant by Sitel during the 5-day period attackers had access to the machine, so they can check for themselves if they had been affected in any way.

News URL

https://www.helpnetsecurity.com/2022/03/24/okta-contractor-lapsus/