nuga@groups.io | tentative: Okta may have been breached since late January

Home Messages Hashtags

Date Date 1 - 4 of 4

tentative: Okta may have been breached since late January

Royce Williams #521 Developing story - take with a grain of salt. If you use Okta, it might be useful for IR resources to start tentative evaluation of applicability to your environment. https://www.reuters.com/article/okta-breach-idUSL2N2VP07B https://twitter.com/vxunderground/status/1506114493067186183 https://twitter.com/BillDemirkapi/status/1506109959230136321 Early speculation is that the threat actor (LAPSUS$) may have lost their foothold, and so decided to "burn" it for the exposure. Royce -- Royce Williams Tech Solvency
More All Messages By This Member
JP #522 Thanks again Royce. I have been watching this on some MSP forums as well, a security vendor posted this yesterday afternoon, I was also kind of waiting to see what this really is once the dust settles. Currently the concern among that community is that our vendors may have been using Okta for authentication and everyone is really gunshy since the Kaseya and Log4J events. So even though I don't personally employ Okta I am asking my vendors if they do. If I find anything I will be sure to reply here. toggle quoted message Show quoted text On Mon, Mar 21, 2022 at 10:34 PM Royce Williams <royce.williams@...> wrote: Developing story - take with a grain of salt. If you use Okta, it might be useful for IR resources to start tentative evaluation of applicability to your environment. https://www.reuters.com/article/okta-breach-idUSL2N2VP07B https://twitter.com/vxunderground/status/1506114493067186183 https://twitter.com/BillDemirkapi/status/1506109959230136321 Early speculation is that the threat actor (LAPSUS$) may have lost their foothold, and so decided to "burn" it for the exposure. Royce -- Royce Williams Tech Solvency
More All Messages By This Member
Tom Bentley #523 My first thought was that if they had obtained sufficient access to compromise clients they would have kept quiet about it. toggle quoted message Show quoted text On Mar 22, 2022, at 17:35, JP <jp@...> wrote: Thanks again Royce. I have been watching this on some MSP forums as well, a security vendor posted this yesterday afternoon, I was also kind of waiting to see what this really is once the dust settles. Currently the concern among that community is that our vendors may have been using Okta for authentication and everyone is really gunshy since the Kaseya and Log4J events. So even though I don't personally employ Okta I am asking my vendors if they do. If I find anything I will be sure to reply here. On Mon, Mar 21, 2022 at 10:34 PM Royce Williams <royce.williams@...> wrote: Developing story - take with a grain of salt. If you use Okta, it might be useful for IR resources to start tentative evaluation of applicability to your environment. https://www.reuters.com/article/okta-breach-idUSL2N2VP07B https://twitter.com/vxunderground/status/1506114493067186183 https://twitter.com/BillDemirkapi/status/1506109959230136321 Early speculation is that the threat actor (LAPSUS$) may have lost their foothold, and so decided to "burn" it for the exposure. Royce -- Royce Williams Tech Solvency
More All Messages By This Member
Royce Williams #524 That's compatible with the theory that they did keep quiet about it - until they were caught. Okta's blog post has been updated: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ Excerpt (emphasis mine): After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency. -- Royce toggle quoted message Show quoted text On Tue, Mar 22, 2022 at 6:48 PM Tom Bentley <TomBent@...> wrote: My first thought was that if they had obtained sufficient access to compromise clients they would have kept quiet about it. On Mar 22, 2022, at 17:35, JP <jp@...> wrote: Thanks again Royce. I have been watching this on some MSP forums as well, a security vendor posted this yesterday afternoon, I was also kind of waiting to see what this really is once the dust settles. Currently the concern among that community is that our vendors may have been using Okta for authentication and everyone is really gunshy since the Kaseya and Log4J events. So even though I don't personally employ Okta I am asking my vendors if they do. If I find anything I will be sure to reply here. On Mon, Mar 21, 2022 at 10:34 PM Royce Williams <royce.williams@...> wrote: Developing story - take with a grain of salt. If you use Okta, it might be useful for IR resources to start tentative evaluation of applicability to your environment. https://www.reuters.com/article/okta-breach-idUSL2N2VP07B https://twitter.com/vxunderground/status/1506114493067186183 https://twitter.com/BillDemirkapi/status/1506109959230136321 Early speculation is that the threat actor (LAPSUS$) may have lost their foothold, and so decided to "burn" it for the exposure. Royce
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags About Features Pricing Updates Terms Help Twitter