Okta CEO says Lapsus$ hack is 'Big Deal,' but doesn’t know how many customers affected

tech.hindustantimes.com:

Okta Inc. doesn’t yet know how many of its customers were affected by a January data breach that the company waited nearly two months to make public, Chief Executive Officer Todd McKinnon said Monday during an interview with Bloomberg Television.

Okta, which provides user authentication services, revealed last month that it had been hacked in January after a group taking responsibility for the intrusion, Lapsus$, posted screenshots that appeared to show access to Okta accounts. As the “trusted identity provider for over 15,000 companies,” McKinnon said, “anytime something like this happens, it’s a big deal.”

The hackers used an unnamed competitor’s software to break into a third-party call center, where about 40 people acted as support agents for Okta to provide help to customers, he said. Hackers took screenshots of what the support agents were doing on their computers and posted them, McKinnon said.

“I want to be really clear that we’re responsible,” he said. “So third-party this and third-party that. It’s our responsibility to make sure this stuff doesn’t happen.”

McKinnon said as many as 366 customers were potentially affected, but the investigation hasn’t yet determined the exact number.

While Okta learned about the security incident in January, the San Francisco-based company confirmed the compromise on March 22, after Lapsus$ hackers went public with evidence of a breach. The delay was “unacceptable,” McKinnon said Monday, adding that the “communication was not as clear as it should have been.” 

But he said an initial investigation in January didn’t reveal the extent of the incident.

“For all intents and purposes, the first time we knew about the severity of this and what hackers actually got, was on March 22,” he said.