Okta confirms that the LAPSUS$ hack was not so catastrophic

octa was one of many companies attacked by the LAPSUS$ hackers and eventually released the definitive report of the incident. The investigation concluded that the scope of the cyberattack was even smaller than expected and touched only two customers of the more than 15,000 it has worldwide.

As they explained, the hackers were “actively controlling” the computer of a support engineer from sitea company contracted to provide customer services, for only 25 minutes straight. During this period, they had access to data from two companies and “additional information” in applications such as Slack and Jira; however, none of this could be used to access Okta’s commands.

And as already happened some time ago, the firm confirmed that at no time actions such as password changes, additional authentication system or configurations were carried out. Additionally, Okta said it contacted both customers individually to inform them of this situation.

“While the overall impact was determined to be significantly lower than we originally estimated, we recognize the high cost this type of engagement can place on our customers and their trust in Okta,” he said. declared. David Bradburyhead of corporate security.

Okta cuts ties with the outsourced company that was in charge of customer service

In order to detach itself from the incident with LAPSUS$ as much as possible, Okta has taken various measures. Between them, terminated its relationship with Sitel, the company that, after all, suffered the hack. This decision is linked to its new security requirements for risk management, which also involves strengthening its audit procedure.

On the other hand, the company also announced a revision of the communication process with its customers. And from now on, it will directly manage third-party devices that have access to its support tools.

However, Okta he apologized again for the mishandling of information after the hacking attempt. Recall that the companies using their services only learned of the event two months later, when LAPSUS$ was on the crest of the wave and claimed to have had full access to the company’s systems for two months.

Some time ago the company acknowledged that did not attach importance to the incident because according to the first reports there was no real risk. However, he did not consider that if the story became public it might generate panic; keep in mind that thousands of companies and government agencies use its tools to manage and protect their employees’ access credentials.