Given the email’s language, the incident appears to be pertinent to Okta Workforce Identity Cloud (WIC) code repositories but not the Auth0 Customer Identity Cloud solution as of the time of writing our report. BleepingComputer’s analysis of an excerpt from the full notification.
Okta is a well-known supplier, identity, and access management (IAM) system. It reports this month’s hacking of its private GitHub repository.
The security breach involves threat actors acquiring Okta’s source code, according to a ‘secret’ email warning from Okta that BleepingComputer obtained.
Since a few hours ago, Okta has been emailing a “secret” security problem notification to its “security contacts.” Data collected obtained by BleepingComputer observed this. Furthermore, we have verified that this email warning has reached numerous sources, including IT administrators.
GitHub had earlier this month informed Okta of unusual access
According to this notification, GitHub had earlier this month informed Okta of unusual access to Okta’s development repositories. However, according to our analysis, it was utilized to copy the Okta code repositories, says David Bradbury, the Chief Security Officer (CSO) of the organization, in the email.
An excerpt from the remainder of the notification, reviewed by BleepingComputer, is published below:
As soon as Okta learned of the possible suspicious access, we promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications.
We have since reviewed all recent access to Okta software repositories hosted by GitHub to understand the scope of the exposure, reviewed all recent commits to Okta software repositories hosted with GitHub to validate the integrity of our code, and rotated GitHub credentials. We have also notified law enforcement.
Additionally, we have taken steps to ensure that this code cannot be used to access company or customer environments. Okta does not anticipate any disruption to our business or our ability to service our customers as a result of this event.
Note: The security event pertains to Okta Workforce Identity Cloud (WIC) code repositories. It does not pertain to any Auth0 (Customer Identity Cloud) products.
We have decided to share this information consistent with our commitment to transparency and partnership with our customers.
Despite stealing Okta’s source code, the business claims that attackers did not have illegal access to the Okta service or user data. Furthermore, since Okta “does not rely on the secrecy of its source code as a means to secure its services,” its “HIPAA, FedRAMP, or DoD customers” are unaffected. As a result, no client action is required.
Okta Workforce Identity Cloud
Given the email’s language, the incident appears to be pertinent to Okta Workforce Identity Cloud (WIC) code repositories but not the Auth0 Customer Identity Cloud solution as of the time of writing our report. BleepingComputer’s analysis of an excerpt from the full notification.
Okta ends its “secret” email by promising a “commitment to transparency” and stating that it will post a statement on its blog today. Before publishing, BleepingComputer contacted Okta with inquiries, but a response wasn’t immediately available.
Okta has had a challenging year due to several security problems and rocky revelations.
Okta-owned Auth0 discovered a similar situation in September of this year. The vendor of the authentication service claims that an unidentified “third-party individual” got previous Auth0 source code repositories from its environment. However, Okta’s issues started much earlier, during the commotion following the revelation of its January breach.
Material extortion organization Lapsus$ started sharing screenshots of the stolen data on Telegram in March of this year, claiming access to Okta’s administrative consoles and client data.
Okta initially responded that it was looking into these accusations. But it soon admitted that the hack in question had happened in late January 2022 and may have impacted 2.5% of its users. Okta had more than 15,000 customers then, so this number was first believed to be around 375 enterprises.
The following week, Okta acknowledged that it had “made a mistake” in disclosing this attack, which the company claimed had been carried out by a third-party contractor named Sitel.
Okta revealed in April that the January breach had lasted “25 straight minutes” and that the impact was much lower than initially thought, limited to only two customers.
