Okta, a number one supplier of authentication companies and Identification and Entry Administration (IAM) options, says that its non-public GitHub repositories had been hacked this month.
In line with a ‘confidential’ e mail notification despatched by Okta and seen by BleepingComputer, the safety incident includes menace actors stealing Okta’s supply code.
Supply code stolen, buyer information not impacted
BleepingComputer has obtained a ‘confidential’ safety incident notification that Okta has been emailing to its ‘safety contacts’ as of some hours in the past. We’ve confirmed that a number of sources, together with IT admins, have been receiving this e mail notification.
Earlier this month, GitHub alerted Okta of suspicious entry to Okta’s code repositories, states the notification.
“Upon investigation, we’ve got concluded that such entry was used to repeat Okta code repositories,” writes David Bradbury, the corporate’s Chief Safety Officer (CSO) within the e mail.
Regardless of stealing Okta’s supply code, attackers didn’t achieve unauthorized entry to the Okta service or buyer information, says the corporate. Okta’s “HIPAA, FedRAMP or DoD prospects” stay unaffected as the corporate “doesn’t depend on the confidentiality of its supply code as a way to safe its companies.” As such, no buyer motion is required.
On the time of writing our report, the incident seems to be related to Okta Workforce Identification Cloud (WIC) code repositories, however not Auth0 Buyer Identification Cloud product, given the e-mail wording.
An excerpt from the the rest of the notification, reviewed by BleepingComputer, is revealed under:
As quickly as Okta realized of the doable suspicious entry, we promptly positioned non permanent restrictions on entry to Okta GitHub repositories and suspended all GitHub integrations with third-party purposes.
We’ve since reviewed all current entry to Okta software program repositories hosted by GitHub to know the scope of the publicity, reviewed all current commits to Okta software program repositories hosted with GitHub to validate the integrity of our code, and rotated GitHub credentials. We’ve additionally notified regulation enforcement.
Moreover, we’ve got taken steps to make sure that this code can’t be used to entry firm or buyer environments. Okta doesn’t anticipate any disruption to our enterprise or our skill to service our prospects because of this occasion.
Notice: The safety occasion pertains to Okta Workforce Identification Cloud (WIC) code repositories. It doesn’t pertain to any Auth0 (Buyer Identification Cloud) merchandise.
We’ve determined to share this data in keeping with our dedication to transparency and partnership with our prospects.
Whereas ending its ‘confidential’ e mail that pledges a ‘dedication to transparency,’ Okta says it’ll publish a press release in the present day on its weblog.
BleepingComputer reached out to Okta with questions prematurely of publishing however a reply was not instantly accessible.
Okta safety incidents: 12 months in overview
It has been a tough 12 months for Okta with its collection of safety incidents and bumpy disclosures.
September this 12 months, Okta-owned Auth0 disclosed a similar-style incident. In line with the authentication service supplier, older Auth0 supply code repositories had been obtained by a “third-party particular person” from its surroundings through unknown means. However, Okta’s issues started lengthy earlier than, amid the irregularity surrounding the disclosure of its January hack.
March this 12 months, information extortion group Lapsus$ claimed it had entry to Okta’s administrative consoles and buyer information because it started posting screenshots of the stolen information on Telegram.
After stating that it was investigating these claims, Okta shortly acknowledged that the hack being referred to had in truth occurred late January 2022 and probably affected 2.5% of its prospects. This determine was estimated to be roughly 375 organizations on the time, given Okta’s 15,000+ buyer base again then.
The identical week, Okta admitted that it had “made a mistake” in delaying the disclosure of this hack that, the agency stated, had originated at its third-party contractor, Sitel (Sykes).
In April, Okta clarified that the January breach had lasted “25 consecutive minutes” and the impression was considerably smaller than what was initially anticipated: restricted to only two prospects.
