Blog

Response to the Okta LAPSUS$ Compromise

Like a lot of digital native SaaS organisations around the globe, the mx51 cyber security team spent some time this week responding to the LAPSUS$ claims on March 22 (AEDT) that they had compromised Okta. We use Okta internally to authenticate and authorise employee access, so we initiated our Incident Response Plan to determine our exposure and respond accordingly. Our internal investigation concluded that we had not been compromised as a result. This has since been confirmed by Okta.

What Happened?

We learned of the LAPSUS$ claim that they had compromised Okta just as we were finishing for the day here in Sydney, March 22. Okta subsequently responded to this confirming that an event had occurred. The latest statement can be found here.

What Could This Mean for mx51?

mx51 implement multiple controls to authenticate our users, their hardware and their location prior to authorising any access. To gain access, a malicious actor would have to compromise the user device, compromise the user email account, reset the Okta password and the multi-factor authenticator.

Okta is not used for customer authentication to mx51 services, and we do not store any customer data in Okta. It is only used for authenticating and authorising employee access.

How Did mx51 Respond?

Following the disclosure of this event, mx51:

  • Kicked off our Incident Response Plan
  • Reached out to Okta to gather more information
  • Reached out to our cyber intelligence network to obtain additional context
  • Searched the Okta system logs for any sign of compromise (password changes, hardware token changes, etc.)
  • Scheduled a video call with every user that had reset their password within the last three months and reset their password

What Was the Outcome?

mx51 found no evidence of suspicious activity in our Okta system logs. We opted to take the password reset action out of an abundance of caution pending a definitive statement from Okta. We received the formal confirmation from Okta that mx51 had not been compromised March 25, 06:02AM (AEDT).

Epilogue

mx51 take our responsibility to secure and protect our customer data and services very seriously. We regularly test our control environment and review our internal processes to prepare for events like this. The benefits of a defence in-depth strategy and a well-exercised Incident Response Plan have been demonstrated over the last few days. Practice doesn’t make perfect, but it makes better.