“Following a security breach in January 2022 that affected parts of the Sykes network, we took swift action to contain the incident and protect all potentially affected customers,” the company said in a statement. “As a result of the investigation, along with our ongoing external threat assessment, we are confident that there is no longer a security risk.”
Sykes’ statement said the company “cannot comment on our relationships with specific brands or the nature of the services we provide to our customers.”
As for the “super user” account Lapsus$ claims it accessed, Okta said in an updated statement that SuperUser is an app “used to perform basic tenant management functions for Okta customers” and does not provide “god mode-like” access” to all its users.”
On his Telegram channel, Lapsus$ posted a detailed (and often self-congratulatory) rebuttal to Okta’s statement.
“The potential impact on Okta customers is NOT limited, I’m pretty sure password resets and [multifactor authentication] would result in the complete compromise of many client systems,” the group wrote. “If you are committed [sic] for transparency, how about hiring a firm like Mandiant and PUBLISHING their report?”
For many Okta customers struggling to understand their potential exposure from the incident, however, none of this does much to clarify the full scope of the situation.
“If an Okta support engineer can reset passwords and multifactor authentication factors for users, that could pose a real risk to Okta customers,” says Red Canary’s McCammon. “Okta’s customers are trying to assess their risk and potential exposure, and the industry as a whole is looking at this through the lens of preparedness. If or when something like this happens with another identity provider, what should our expectations be in terms of proactive notification and how should our response evolve?”
Clarity from Okta would be especially valuable in this situation, as Lapsus$’s overall motivations are still unclear.
“Lapsus$ has expanded its targets beyond specific industry verticals or specific countries or regions,” said Pratik Savla, senior security engineer at security firm Venafi. “This makes it harder for analysts to predict which company is most at risk next. This is probably a deliberate move to keep everyone guessing because these tactics have served attackers well so far.”
As the security community struggles to deal with the Okta situation, Lapsus$ may have even more to reveal.
Updated Wednesday, March 23, 2022, at 12:20 a.m. ET to include extended comment from Okta, including the percentage of customers it says is potentially affected by the breach.
Updated on Wednesday, March 23, 2022 at 12:10 p.m. ET to include the exact number of customers who could be affected by the breach, new details about the third-party processor whose employee account was accessed, and claims by Okta that SuperUser is an app without “god-like access mode’ to customer accounts.
More great stories on WIRED
