By Jon Swartz
Okta Inc. said it is investigating a potential digital breach of its software that lets businesses authenticate the identity of their customers and employees, which initially sent shares tumbling as much as 8%.
“The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers,” Okta /zigman2/quotes/210420951/composite OKTA -4.06% said in an updated blog post Tuesday. “In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.”
As Okta explained the situation throughout the day, its stock has steadily rebounded, and is currently down about 2%.
Its tardiness in disclosing the issue, however, drew strong criticism from Tenable Holdings /zigman2/quotes/203199150/composite TENB -3.26% CEO Amit Yoran in an open letter to Okta . “Two months is too long. This compromise should have been disclosed when Okta detected it in January or after a competent and timely forensic analysis,” Yoran wrote on LinkedIn on Wednesday. “As a customer, this is how the fact pattern feels: You either didn’t investigate properly or disclose the breach in January when it was discovered. When you were outed by LAPSUS$, you brushed off the incident and failed to provide literally any actionable information to customers. LAPSUS$ then called you out on your apparent misstatements. Only then do you determine and admit that 2.5% (hundreds) of customers’ security was compromised. And still actionable detail and recommendations are nonexistent.”
On Wednesday, Okta offered a timeline of its own in a third blog post.
Hacking group Lapsus$ has claimed responsibility for the breach and published screenshots claiming access to an Okta internal administrative account and the firm’s Slack channel. However, the shadowy group also said on the messaging app Telegram it did not steal any databases from Okta, and “our focus was ONLY on Okta customers.” [According to its website, Okta says it has more than 15,000 customers.]
Early Tuesday, Okta Chief Executive Todd McKinnon tweeted that the company believes those screenshots are related to a security incident in January that was contained.
“In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors,” McKinnon tweeted, referring to a subcontractor that works with Okta. “The matter was investigated and contained by the subprocessor.”
Although Okta’s preliminary review has not revealed malicious activity beyond January’s incident, the activities of Lapsus$ has financial analysts like Mizuho Securities’ Gregg Moskowitz concerned.
In a note Tuesday, Moskowitz pointed out Lapsus$ has reportedly breached several big-name organizations over the past few months that include Microsoft Corp. /zigman2/quotes/207732364/composite MSFT -0.26% , Nvidia Corp. /zigman2/quotes/200467500/composite NVDA -2.88% , Samsung Electronics Co. Ltd. /zigman2/quotes/209800866/delayed KR:005930 +1.82% , Vodafone Group /zigman2/quotes/202484985/delayed UK:VOD -0.59% , LG Electronics Inc. /zigman2/quotes/209966407/delayed KR:066570 -1.45% and Impresa /zigman2/quotes/205394285/delayed PT:IPR -1.87% .
Lapsus$ has widened its targets and increased its sophistication in recent months, making it harder for analysts to predict which company is most at risk next, according to Pratik Savla, security engineer at cybersecurity company Venafi Inc.
Following Okta’s latest explanation, Moskowitz issued another note on Wednesday. “While more information could be unearthed, and OKTA surely could have handled this situation better, we believe these findings are better than feared. We also believe that OKTA can effectively navigate this issue,” Moskowitz wrote.
JMP Securities analyst Trevor Walsh on Wednesday maintained a market outperform rating and $260 price target on Okta after he concluded the incident had “minimal impact.”