Hackers hit authentication firm Okta, used by millions worldwide

Okta logo on a phone screen
Ransom-seeking hacking group Lapsus$ have claimed responsibility. Photo credit: Getty Images

Okta, whose authentication services are used by companies including Fedex and Moody's to provide access to their networks, is investigating a digital breach after hackers posted screenshots of what they said was internal information.

The scope of the hack is unknown, but it could have major consequences because thousands of companies rely on San Francisco-based Okta to manage access to their networks and applications.

In a statement, Okta official Chris Hollis said the hack could be related to a previously undisclosed incident in January which he said had since been contained.

Okta had detected an attempt to compromise the account of a third-party customer support engineer at the time, said Hollis.

"We believe the screenshots shared online are connected to this January event," he said.

"Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January."

Okta shares were down 2.7 percent at US $164.92 in afternoon trading, off earlier lows.

Okta did not disclose whether clients were affected or if so, how many. It said, "We are continuing our investigation and will provide additional information as it becomes available."

On its website, Okta describes itself as the "identity provider for the internet" and says it has more than 15,000 customers on its platform.

It competes with the likes of Microsoft, PingID, Duo, SecureAuth and IBM to provide identity services such as single sign-on and multi-factor authentication used to help users securely access online applications and websites.

The screenshots were posted by a group of ransom-seeking hackers known as Lapsus$ on their Telegram channel late on Monday, US time. In an accompanying message, the group said its focus was "ONLY on Okta customers."


Security experts told Reuters the screenshots appeared to be authentic.

"I definitely do believe it is credible," said independent security researcher Bill Demirkapi, citing pictures of what appeared to be Okta's internal tickets and its in-house chat on the Slack messaging app.

Dan Tentler, the founder of cybersecurity consultancy Phobos Group, said he too believed the breach was real and urged Okta customers to "be very vigilant right now".

Lapsus$ is a relatively new entrant to the crowded ransomware market but already made waves with high-profile hacks and attention-seeking behaviour.

The group compromised the websites of Portuguese media conglomerate Impresa earlier this year, tweeting the phrase "Lapsus$ is now the new president of Portugal" from one newspaper's Twitter accounts. The Impresa-owned media outlets described the hack as an assault on press freedom.

Last month the group leaked proprietary information about US chipmaker Nvidia Corp to the Web.

More recently the group has purported to have leaked source code from several big tech firms.

The hackers did not respond to a message left on their Telegram group chat seeking comment.


San Francisco-based Okta, a widely used access management company that competes with the likes of PingID and Duo to provide online authentication services, said it was investigating a digital breach on Tuesday.

The scope of the breach is unknown, but a hack at Okta could have major consequences because thousands of other companies rely on the firm to manage access to their own networks and applications. Okta said the breach could be connected to an earlier incident in January.

Here are some facts about the company:

According to its website, Okta has been in business since 2009 and describes itself as the "identity provider for the internet." It says it has more than 15,000 customers on its platform.

Okta sells identity services, such as Single Sign-On and Multi-factor Authentication used to log in to online applications and websites.

Hundreds of large companies, such as FedEx, T-Mobile, Moody's and Coinbase, use Okta's services.

Global cloud services provider Cloudflare also uses Okta. Cloudflare CEO Matthew Prince said in a tweet that the company had reset the credentials of some employees "out of (an) abundance of caution" but had "confirmed no compromise."

In a 2019 interview with CNBC, Okta's CEO, Todd McKinnon, said the company had more than 100 million registered users.

Okta competes with the likes of PingID, Duo, SecureAuth, Microsoft and IBM. While known for offering employee identifiction systems, Okta has been expanding its customer identification business, which now accounts for a quarter of revenue.

Earlier this month, Okta said it had agreed to buy its smaller rival Autho in a US$6.5 billion all-stock deal, one of the largest software deals so far this year. read more

Okta reported quarterly revenue of US$234.7 million in March, an increase of 40 percent. The company's share price has jumped during the pandemic, taking the company's market cap to over US$30 billion.