Okta source code stolen as a result of GitHub repositories hack. Was remediation possible?

Back in March, we wrote about single-sign-on cybersecurity firm Okta after the company confirmed that hundreds of its customers were hit by a data breach from the Lapsus$ hacking group.

Okta, one of the leading providers of authentication services and Identity and Access Management (IAM) tools, reported a hacker attack on their private GitHub repositories. Okta’s source code has been stolen by malicious actors earlier this month. Security experts from GitProtect.io, a GitHub backup vendor advise stopping underestimating attacks on cloud environments, and DevOps or SaaS tools. The end of the year is the perfect time for an examination of conscience on cybersecurity.

What Really Happened?

Two days ago a security team at Okta has been emailing IT admins and the team about the details of this security incident. It concerns Okta Workforce Identity Cloud (WIC) code repositories. However, the attackers failed to get authorized access to the entire Okta service and their customer data because the company follows strict security standards (including HIPAA, FedRAMP or DoD) and doesn’t rely on its source code confidentiality.

Let’s just mention that the company’s clients include brands such as Siemens, FedEx, T-Mobile, Mazda, Rakuten, and more so the disclosure of their data could have dire consequences for millions of users.

Earlier in December GitHub notified Okta about some suspicious activity in Okta’s code repositories. The company’s security team investigated the received notification from the Cloud service provider and made a conclusion “that such access was used to copy Okta code repositories” – as stated in the email cited by Bleeping Computer.

Oops, it happened… again

2022 was a tough time when it comes to security incidents, and Okta is not an exception. The company suffered a series of hacker attacks, incidents, or failures over the past months.

A virtually identical situation occurred in September when a victim of an attack fell Auth0. An authentication platform owned by Okta that is used by over 2,000 enterprises to authenticate more than 42 million logins every day.

Earlier in March, Lapsus$, a data extortion group posted on Telegram screenshots of some stolen Okta data they claimed to have access to. As it later turned out, the actual hack took place in January and affected 2.5% of customers.

It looks like the Okta security team has had their hands full all year, and the Christmas break won’t be so merry after all.

What next?

Is it possible to avoid incidents like the one that happened to Okta? Unfortunately, no. The threat actors for years have been using vulnerabilities to modify, demand a ransom, steal and sell data on the darknet. What we can do now is to stop deluding ourselves so that attacks on cloud services, DevOps and SaaS solutions do not happen. Hackers follow trends and are always one step ahead.

– In Okta’s scenario, attackers gained access to their repositories and stole their source codes. Such attacks are a real danger to any repositories. Attackers might also remove/wipe/erase repositories they accessed, and there is no other safeguard than reliable GitHub backup – said Greg Bak, Product Development Manager at GitProtect.io.

Having a GitHub backup solution will eliminate the negative effects of attacks, reduce financial losses, and above all – ensure business continuity and an uninterrupted DevOps workflow.

Okta offers single-sign-on and authentication services, enabling employees of corporate clients to sign in to multiple services with minimal fuss. This includes the Okta Mobile app for iPhone and iPad, enabling SSO through the Okta Identity Management Service using Face ID.