Up To 366 Clients Had Data ‘Acted Upon’ in Lapsus$ Hack

As many as 366 Okta customers might have had their data ‘acted upon’ following the Lapsus$ cyberattack against the identity security giant’s customer support subcontractor.

“A small percentage of customers – approximately 2.5 percent – have potentially been impacted and whose data may have been viewed or acted upon,” Okta Chief Security Officer David Bradbury wrote in an update posted at 9:31 p.m. ET Tuesday.

The San Francisco-based company didn’t provide details around how these customers were impacted but said affected customers will receive a report that shows the actions performed on their Okta tenant during the period in question. Okta said impacted customers might want to complete their own analysis, noting the report the company is providing should allow clients to assess the situation for themselves.

[Related: Okta Breached By Lapsus$, Exposing Customer Data, Group Claims]

“Our customers are our pride, purpose, and #1 priority,” Bradbury wrote in the update. “We take our responsibility to protect and secure customers’ information very seriously. We deeply apologize for the inconvenience and uncertainty this has caused.”

The cyberattack came to light early Tuesday when data extortion gang Lapsus$ posted screenshots to its Telegram channel of what it alleged was data from Okta customers. Lapsus$ claimed it acquired “superuser/admin” access to Okta.com and used that to access Okta’s customer data. Okta’s stock fell $2.98 (1.76 percent) to $166.43 per share in trading Tuesday, and another $0.04 in after-hours trading.

The screenshots Lapsus$ published online were taken from a computer used by a Sitel employee, which Okta contracts with for customer support work. The hacker obtained remote access to the Sitel support engineer’s computer using remote desktop protocol (RDP) and was able to control the machine. The machine was logged into Okta at the time of compromise, though there wasn’t account takeover.

The majority of support engineering tasks are performed using an internally built application called SuperUser, which allows for the performing of basic management functions on Okta customer tenants. The threat actor had…