Okta had previously been breached by Lapsus$.

Edward Gately, Senior News Editor

December 23, 2022

4 Min Read
Source code on a computer screen
Shutterstock

Okta has acknowledged a breach of its GitHub repositories by threat actors resulting in the theft of its source code.

Okta published a statement in its security blog about the breach with GitHub.

“In early December 2022, GitHub alerted Okta about possible suspicious access to Okta code repositories,” it said. “Upon investigation, we have concluded that such access was used to copy Okta code repositories. Our investigation concluded that there was no unauthorized access to the Okta service, and no unauthorized access to customer data. Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully operational and secure.”

Okta said as soon as it learned of the breach, “we promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications.”

“We have since reviewed all recent access to Okta software repositories hosted by GitHub to understand the scope of the exposure, reviewed all recent commits to Okta software repositories hosted with GitHub to validate the integrity of our code, and rotated GitHub credentials,” it said. “We have also notified law enforcement.”

What Hackers Gain

Mullins-Matt_Cybrary.png

Cybrary’s Matt Mullins

Matt Mullins is senior security researcher at Cybrary.

“Okta’s breach is galvanizing of the perspective that continuous integration and continuous delivery/continuous deployment (CI/CD), along with GitHub repositories code, have become the new target upstream of organizations,” he said. “Getting access to these systems gives an advanced persistent threat (APT) group the benefit of having early access to their targets and research vulnerabilities, such as obviously flaws in code, secrets such as hard-coded credentials in scripts, or misconfigurations such as obvious anti-patterns in configurations.”

In general, things like multifactor authentication (MFA) should be used on as many systems as possible, including GitHub commits and other pushes, Mullins said. With MFA, there is less opportunity for attackers to push malicious code or backdoors. That’s even if they have credentials.

“The more critical the application or system, the more hardened the MFA should be,” he said.

Previous Breach by Lapsus$

Okta had previously been breached by Lapsus$, with a whole episode of them showing off their access, Mullins said.

“So there should obviously be some concern from consumers with the current instance,” he said. “With services like Okta being critical to enterprises, it should be no shocker that attackers will continue to target the security provider. Who watches the watchmen?”

Shamban-Shira_Solvo.jpg

Solvo’s Shira Shamban

Shira Shamban is CEO and co-founder of cloud security company Solvo.

“Unfortunately, Okta is one of the big tech companies that was hacked multiple times in 2022,” she said.

The attackers likely gained access to the private code repository in one of a few ways, Shamban said. That included obtaining credentials, access tokens or an identity and access management (IAM) allowed it.

“Why Okta?” she said. “Attackers see software providers, and especially security and identity providers, as a hub. And hacking them would be an entry point into many other organizations that trust and rely on Okta.”

Ultimately, there was likely human error somewhere in the process, Shamban said. That further proves the “tremendous” need for several mechanisms of security to compensate and back up one another.

Visibility, Notifications Mandatory

Visibility into these security layers and notifications for possible failures are mandatory in cloud architecture, Shamban said. That’s where APIs connect so many applications, services and third parties.

“As far as we know, this hack exposed Okta’s source code and not directly access token into their customers’ accounts,” she said. “But since we don’t know yet what was the exact attack vector, we can’t say for sure if there’s a specific risk Okta’s customers should be concerned about.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:

MSPsVARs/SIs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like