Okta says source code for Workforce Identity Cloud service was copied

Screenshot showing source code
Getty Images

Single sign-on provider Okta said on Wednesday that software code for its Okta Workforce Identity Cloud service was copied after intruders gained access to the company’s private repository on GitHub.

“Our investigation concluded that there was no unauthorized access to the Okta service, and no unauthorized access to customer data,” company officials said in a statement. “Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully operational and secure.”

The statement said that copied source code pertains only to the Okta Workforce Identity Cloud and doesn’t pertain to any Auth0 products used with the company’s Customer Identity Cloud. Officials also said that upon learning of the breach, Okta placed temporary restrictions on access to the company’s GitHub repositories and suspended GitHub integrations with third-party apps.

“We have since reviewed all recent access to Okta software repositories hosted by GitHub to understand the scope of the exposure, reviewed all recent commits to Okta software repositories hosted with GitHub to validate the integrity of our code, and rotated GitHub credentials,” the statement added. “We have also notified law enforcement.”

The Okta Workforce Identity Cloud provides access management, governance, and privileged access controls in a single package. Many large organizations handle these things piecemeal using manual processes. The service, which Okta introduced last month, is designed to unify and automate these processes.

Last March, the Lapsus$ ransomware group posted images that appeared to show it had obtained proprietary data from Okta and Microsoft. Okta officials said the data was obtained after the threat actor gained unauthorized access to the account of a “third-party customer support engineer working for one of our subprocessors.”

The company said the attempt to breach Okta was unsuccessful and that the access the hackers gained to the third-party account didn’t allow them to create or delete users, download customer databases, or obtain password data. Lapsus$ members refuted this claim and noted that the screenshots indicated they had logged into the superuser portal, a status they said gave them the ability to reset the passwords and multifactor authentication credentials of 95 of Okta’s customers.

In August, Okta said that hackers who had recently breached security provider Twilio used their access to obtain information belonging to an unspecified number of Okta customers. Twilio disclosed the breach three weeks earlier and said it allowed the threat actor to obtain data for 163 customers. Okta said the threat actor could obtain mobile phone numbers and associated SMS messages containing one-time passwords of some of its customers.

In September, Okta revealed that code repositories for Auth0, a company it acquired in 2021, had also been accessed without authorization.

Wednesday’s disclosure of the Okta source-code copying was first reported by Bleeping Computer.

https://arstechnica.com/?p=1906375