WASHINGTON (Reuters) – Hundreds of customers of digital authentication firm Okta have possibly been affected by a security breach caused by a hacking group known as Lapsus$, the company said on Tuesday.
The breach has sparked concern since the cyber extortion gang posted what appeared to be internal screenshots from within the organization’s network roughly a day ago.
In a series of blog posts, Chief Security Officer David Bradbury said the “maximum potential impact” was to 366 customers whose data was accessed by an outside contractor, Sitel.
The contractor employed an engineer whose laptop the hackers had hijacked, he added.
The 366 number represented a “worst case scenario,” Bradbury cautioned, adding that, in any case, the hackers had been constrained in their range of possible actions.
Okta, based in San Francisco, helps employees of more than 15,000 organizations securely access their networks and applications, so a breach at the company could lead to serious consequences across the Internet.
Bradbury said the intrusion would not have given “god-like access” to the intruders as they would have been unable to perform actions such as downloading customer databases or accessing Okta’s source code.
Okta first got wind of the breach in January, he added, while the Miami-based Sitel Group only received a forensic report about the incident on March 10, giving Okta a summary of the findings a week later.
Bradbury said he was “greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report.”
Sitel did not immediately return a message seeking comment early on Wednesday.
According to its website, Okta has been in business since 2009 and describes itself as the “identity provider for the internet.”
Okta sells identity services, such as Single Sign-On and Multi-factor Authentication used to log in to online applications and websites.
Hundreds of large companies, such as FedEx Corp, T-Mobile US, Moody’s and Coinbase Global, use Okta’s services.
Global cloud services provider Cloudflare also uses Okta. Cloudflare CEO Matthew Prince said in a tweet that the company had reset the credentials of some employees “out of (an) abundance of caution” but had “confirmed no compromise.”
In a 2019 interview with CNBC, Okta’s CEO, Todd McKinnon, said the company had more than 100 million registered users.
Okta competes with the likes of PingID, Duo, SecureAuth, Microsoft Corp and IBM. While known for offering employee identification systems, Okta has been expanding its customer identification business, which now accounts for a quarter of revenue.
Earlier this month, Okta said it had agreed to buy its smaller rival Autho in a $6.5 billion all-stock deal, one of the largest software deals so far this year.
Okta reported quarterly revenue of $234.7 million in March, an increase of 40%. The company’s share price has jumped during the pandemic, taking the company’s market cap to over $30 billion.
(By Raphael Satter; Reporting by Raphael Satter and James Pearson in London; Editing by Shri Navaratnam and Matthew Lewis)