Okta hack: GitHub repositories breached, source code stolen

Breach discovered after suspicious access to Okta’s code repositories

Okta, an American identity and access management service provider, has reported a breach by an unauthorized party. The company has disclosed on Wednesday that some of its source code has been stolen after code repositories on GitHub were accessed illegally at some point earlier this month.

Okta is an identity and access management platform that enables organizations to securely manage and administer user authentication across multiple applications, both in the cloud and on-premise.

It offers a range of features, including single sign-on (SSO), multi-factor authentication (MFA), adaptive risk policies, social login, automated user provisioning, and identity lifecycle management. Okta also provides an API platform for building custom integrations with third-party applications, as well as support for on-premise connections to legacy systems.

The incident

On December 21, Okta released a public statement for “sharing context and details around a recent security event.” The tip of the breach was provided by GitHub's owner Microsoft at the time. Despite having the source code leaked, the company states that there is no impact on its customers:^[1]

There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No action is required by customers

As soon as the San Francisco-based company learned about the intrusion, it immediately restricted all access to its Workforce Identity Cloud (WIC) repositories and suspended all integrations with applications from third parties.

Okta also said that it reviewed all the access points to software repositories performed recently to better understand the scope of the break-in, checked the recent code commits to ensure no alterations were committed by the perpetrators, and changed all credentials to the GitHub platform, and also reported the incident to the appropriate law enforcement agencies.

The cloud-based identity management platform said it does not rely on the confidentiality of its source code to protect its services, so it continues to run without interruptions and is as secure as ever.

Multiple security incidents involving Okta

Security breaches are never a good thing for any company. Such an occurrence can lead to the loss of valuable data, financial losses, and reputational damage. Companies should take preventive steps to protect their information from being accessed or stolen by malicious actors. Unfortunately, Okta has been under the radar of cybercriminals for a while now.

The first incident revolving around the company occurred in March 2022, when Lapsus$ hacking group claimed to have accessed customer information and company's administrative consoles. Cybercriminals started showing the screenshots of the stolen data on Telegram soon after.^[2]

After briefly examining the claims, Okta soon confirmed that a hack had indeed taken place in late January 2022 and potentially impacted 2.5% of its customers – estimated to be around 375 organizations out of their 15,000+ customer base at the time. Later the same week, Okta admitted their misstep in not immediately disclosing the breach that had come from Sitel (Sykes), one of its third-party contractors.

In April, Okta ascertained that the breach in January had endured for “25 consecutive minutes” and its repercussions were minimal compared to what was initially predicted: only two customers were affected.

Auth0, which Okta acquired in 2021, suffered from a similar breach, when some of its source code repositories were stolen.

In August 2022, Group-IB uncovered a malicious attack known as “0tkapus”^[3] that was designed to swipe users' Okta account information and two-factor authentication (2FA) codes from many companies, including Twilio and Cloudflare.