Okta says 366 customers potentially affected in data breach

Customer data is safe, the company says. But an Okta official says it should have handled some things differently.
Okta, Lapsus$ response
Okta's website on March 23, 2022. (Scoop News Group)

Okta, the identity authentication company whose customers were targeted by a prolific cybercrime group in a late-January breach, said Wednesday that 366 customers’ accounts were potentially accessed as part of the incident.

In a nine-minute Zoom call Wednesday, the company’s chief security officer, David Bradbury, said that number represents the maximum of customer accounts accessed by third-party contractors during a five-day window when hackers had gained entry to a contractor’s laptop.

Bradbury added that he was “greatly disappointed by the long period of time” between when the incident occurred and March 17, when a summary of a third-party investigation of the incident became available. An unnamed company was hired to examine what happened at Sitel Group, the Miami-based contractor providing outsourced contact center services.

“Upon reflection, once we received the Sitel summary report, we should have moved more swiftly to understand its implications,” he said.


A laptop belonging to a contractor with Sitel was accessed by the hacking group Lapsus$ in January. Lapsus$ posted screenshots of the incident to its Telegram channel earlier this week, which showed Okta’s Slack channels and a “Superuser” dashboard for Cloudlfare, a major content delivery network.

Bradbury said Wednesday that “Superuser” refers to an internal application used by employees to perform basic management functions for Okta customers. “Despite its name, this application does not provide godlike access to all its users,” Bradbury said. It does not allow for the creation or deletion of users, does not allow for the download of customer databases, or access to source code repositories, he said.

“Upon reflection, once we received the Sitel summary report, we should have moved more swiftly to understand its implications.”

— Okta Chief Security Officer David Bradbury

Bradbury — who did not take any questions during the call — said the estimate reflects the “worst case scenario” after investigators “examined all of the access performed by all Sitel employes” to the internal application used to service customer accounts between Jan. 16 and Jan. 21.

“Because of the access the support engineers had, the information and their ability to take action were highly constrained,” Bradbury said. “As a result of the constrained access provided and our exhaustive analysis of actions performed during that period, we are of the opinion that no corrective actions need to be taken by our customers.”

The affected customers will receive a report of all actions performed by Sitel on their accounts during the five-day period, Bradbury said. Okta has more than 15,000 customers around the world, including major firms like Cloudflare and U.S. government agencies.


Okta posted a detailed timeline of events on its blog late Tuesday.

Lapsus$ emerged in December and has racked up a string of high-profile victims in pursuit of what it says are purely financial motives. Microsoft confirmed Tuesday that the group gained access portions of its source code, without going into detail. The group claimed on its Telegram channel to have taken source code related to Bing, the company’s search engine, Bing Maps, and Cortana, the company’s virtual assistant software. The group has also targeted Samsung, Nvidia and Ubisoft, among others.

Dan Tentler, a founder of cybersecurity firm Phobos, told Wired that Lapsus$ operation was “indeed quite a big deal” depending on the level of access and privileges the contractors had to Okta customer accounts.

Latest Podcasts