As teen hacker is linked to Lapsus$, Okta provides more details on data breach

Shares in identity and access management company Okta Inc. dropped today as it provided more details about the company’s data breach, as the mastermind behind the Lapsus$ ransomware gang that had taken credit for the data breach was reported to be a 16-year-old boy from the U.K.

As reported yesterday, both Okta and Microsoft Corp. were targeted by Lapsus$. In Okta’s case, screenshots of internal Okta information were shared on Telegram late Monday.

Okta has confirmed that there was a breach and Chief Security Officer David Bradbury has shared a full rundown of what occurred, including a complete timeline of what happened and when.

Bradbury went through when Okta first became aware of a compromise and the story starts on Jan. 20 at 11:18 p.m. The company received an alert that a new factor was added to a Sitel Group employee’s Okta account from a new location. Sitel is one of several companies that Okta employees as a “sub-processor” to provide customer support.

Within 28 minutes of the initial alert, the change of details was escalated to a security incident. By 12:28 a.m. Jan. 21, the Okta service desk terminated the user’s Okta sessions and suspended the account. Later the same day, Okta shared the details with Sitel, which then said it had retained outside support from a leading forensics firm.

The forensics firm delivered a report to Sitel on March 10, with a summary report sent to Okta on March 17. Then, things took a turn, as Lapsus$ shared screenshots on March 22. Sitel then delivered the full report to Okta later the same day.

Following the back and forth, Okta ascertained that the screenshots had been taken from a Sitel support engineer’s computer. The engineer’s computer had been remotely accessed by an attacker using remote desktop protocol. Okta noted that though the attacker never gained access to Okta itself via account takeover, the computer logged into Okta was compromised and hence obtained screenshots and controlled the machine through the RDP session.

“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report,” Bradbury wrote. “Upon…