Identity-management-as-a-service outfit Okta has acknowledged that it made an important mistake in its handling of the attack on a supplier by extortion gang Lapsus$.

In an FAQ published last Friday, Okta offered a full timeline of the incident, starting from January 20 when the company learned “a new factor was added to a Sitel customer support engineer’s Okta account.”

Sitel is a third party vendor that Okta uses to provide some customer support services.

The FAQ states that the attempt to add the new factor – a password – was unsuccessful, but on January 21 Okta nonetheless reset the account and notified Sitel, which “engaged a leading forensic firm to perform an investigation.”

We should have more actively and forcefully compelled information from Sitel

Okta’s mistake, in its own estimation, was to assume that Sitel had revealed everything of importance, and to wait for the investigation Sitel commissioned, rather than press for more information.

“In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt,” the FAQ states.

“At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel,” the FAQ states, adding: “In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”

The forensics outfit that Sitel hired delivered its report on March 10. Okta received a summary of the document as week later, on March 17.

Then on March 22, Lapsus$ dropped screenshots depicting its operatives (seven of whom were arrested last week) apparently rummaging around inside Okta’s internals.

On the same day, Okta received the full report commissioned by Sitel. The FAQ states the document “concluded that there was a five-day period between January 16–21, 2022, where an attacker had access to Sitel.” But the attacker’s only action was the January 21 password reset.

When news of the Lapsus$ attack emerged, Okta first dismissed it as unlikely to be a problem for its customers. But on March 23 – presumably after digesting the full forensic report – the company admitted some customers had potentially been exposed.

The FAQ tries to tie the story up in a bow by asserting that further investigations show no customers were in danger of having their Okta credentials abused – because even if Sitel staff were compromised, individual end users set their own passwords. Lapsus$, or another attacker, would therefore need to gain control of an account at one of Okta’s customers, rather than at Sitel, to gain even the power to reset a password for an Okta account – never mind fiddle with Okta’s other systems.

“We are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers” the FAQ states. “We are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases.”

So what did Lapsus$ publish?

According to the FAQ, screenshots depicting “Jira tickets and lists of users” – which is the sort of stuff Sitel staff can see. However Sitel staff can’t “create or delete users, or download customer databases.”

But the story isn’t over. The FAQ states: “Okta is actively continuing our investigation, and we are utilizing logs as well as other data sources.”

Okta has already changed its story twice – from an initial “nothing happened” to “oops, something did happen” and now to “even though something happened, customers were safe, but we’re still checking to make sure.”

Okta is actively continuing our investigation

A reminder: Okta’s whole business is built around providing its users with trusted identity services, yet the company has acknowledged it was too trusting of Sitel and is now asking customers to trust that its investigations have cleared the danger – even as it continues those investigations.

“We have reached out to all customers who have been potentially impacted,” Okta’s FAQ concludes. “In addition, we have also notified non-impacted customers.”

How many will be ex-customers before long? ®