Okta has disclosed that its private GitHub repositories containing its source code were compromised earlier this December, but the company has reassured customers that their data was not affected. They further reassured their customers that the hackers did not gain access to private data, and a temporary restriction on the entrance to Github repositories has been made for integrations and third-party applications. Still, the theft of Okta’s source code raises questions about the security of its systems and the potential for future attacks. Okta is widely known for its services in Authentication and Identity and Access Management (IAM) solutions.
Threat actors steal Okta’s source code.
Based on a private email notification sent by Okta and obtained by BleepingComputer, the security incident involved threat actors stealing the company’s source code. Okta has stated that its HIPAA, FedRAMP, and DoD customers remain unaffected as the company “does not rely on the confidentiality of its source code as a means to secure its services.” The company has taken steps to ensure that the stolen code cannot be used to access company or customer environments and does not anticipate any disruption to its business or ability to service customers as a result of the incident. Okta has also notified law enforcement and has published a statement on its blog.
Okta’s Previous Security Incidents
This is not the first time Okta has faced security incidents this year. In September, Okta-owned Auth0 disclosed a similar incident in which older Auth0 source code repositories were obtained by a “third-party individual” from its environment via unknown means. In March, data extortion group Lapsus$ claimed to have access to Okta’s administrative consoles and customer data, posting screenshots of the stolen data on Telegram. Okta subsequently admitted that it had experienced a hack in January that potentially affected 2.5% of its customers or approximately 375 organizations.
In the wake of the January hack, Okta faced criticism for delaying the disclosure of the incident. The company admitted to “making a mistake” in its handling of the disclosure and apologized to affected customers.
The series of security incidents and bumpy disclosures have raised concerns among Okta customers and industry experts. It is important for companies to prioritize security and promptly disclose any incidents to ensure the trust of their customers and maintain the integrity of their systems. Okta’s handling of the various security incidents it has faced this year will likely be closely scrutinized by its customers and the wider industry.
EXCLUSIVE: #Okta says its GitHub source code repositories were stolen this December in a 'confidential' security notification sent to 'security contacts' that include IT managers at various organizations. pic.twitter.com/noNPPGaRyh
— Ax Sharma (@Ax_Sharma) December 21, 2022
Okta’s response to the hack
To address these concerns, Okta has implemented a number of measures to improve the security of its systems and data. These measures include regular security audits, encryption to protect data in transit and at rest, and multifactor authentication to ensure that only authorized users can access sensitive systems. Despite these safeguards, thieves and hackers are constantly looking for new entry points into delicate systems and data. This highlights the importance of continuous security vigilance and the need for companies to regularly review and update their security measures to stay ahead of emerging threats.
Okta will need to demonstrate that it is taking all necessary steps to protect its systems and data and that it is committed to transparency and communication with its customers in the event of any future security incidents. In the competitive world of cybersecurity, the ability to provide reliable and secure products and services is essential. Companies who don’t sufficiently safeguard their systems and data run the danger of losing the confidence of their clients and possibly hurting their brand.
It is important for companies like Okta to understand the severity of security incidents and take appropriate measures to protect their systems and data. In the case of Okta’s most recent hack, the theft of the company’s source code raises concerns about the security of its systems and the potential for future attacks. While Okta has reassured customers that their data was not impacted, the company will need to work hard to rebuild confidence and demonstrate its commitment to the security and protection of its systems and data.
The importance of cybersecurity cannot be overstated in today’s digital landscape. It is essential that businesses take action to protect their data and systems against cyber threats, given the growing reliance on technology and the internet in all spheres of business and personal life.
This includes implementing strong security measures, regularly reviewing and updating those measures, and promptly disclosing any security incidents to ensure the trust of customers.
Okta’s handling of the various security incidents it has faced this year will be closely watched by its customers and the wider industry. The company will need to work hard to demonstrate its commitment to security and regain the trust of its customers. Only time will tell how successful the company will be in this effort, but it is clear that the stakes are high.
The impact of cybersecurity breaches on businesses can be severe. Cyber assaults can cause financial losses owing to the expense of responding to and recovering from the incident, in addition to the possible loss of customer trust and harm to a company’s reputation. By 2025, it is anticipated that the cost of cyberattacks would have surpassed $10 trillion globally, according to a report by Cybersecurity Ventures.
Importance of Cybersecurity for Businesses
The importance of cybersecurity is not limited to large businesses and organizations. Small and medium-sized businesses are also at risk of cyber attacks, and the impact of a breach can be especially devastating for these companies. 60% of small firms that endure a cyberattack fail within six months claims the National Cyber Security Alliance.
Businesses can take a number of precautions to defend themselves from cyberattacks. These include implementing strong passwords and using multifactor authentication, regularly updating software and security measures, and educating employees on best practices for cybersecurity. The identification of key individuals and procedures for communicating with clients and other stakeholders are all crucial components of a business’ response strategy to a cyber attack.
Role of Government and Private Sector in Cybersecurity
The role of government in cybersecurity is a complex and evolving issue. Governments around the world have implemented a range of measures to protect against cyber attacks, including laws and regulations, international cooperation agreements, and investment in cybersecurity research and development.
However, there are also concerns about the use of government resources for cyber espionage and the potential for government-sponsored attacks on private sector systems. Additionally important to cybersecurity is the role played by the commercial sector. Private companies, including those that offer cybersecurity products and services, play a crucial role in protecting against cyber attacks and helping businesses and organizations to secure their systems and data. The success of these efforts is vital for the overall security of the global economy.
“This time Okta’s reaction seems to be much faster and more professional compared to the January incident. The consequences of this security incident may seem insignificant, however, access even to a small part of the source code may have a domino effect on the organization. Oftentimes, some parts of source code is shared among different products, offering attackers a plethora of unique opportunities to reverse engineer business-critical software and find 0day vulnerabilities.
“Likewise, modern source code still contains numerous hardcoded secrets, such as database passwords or API keys, despite the growing implementation of more secure mechanisms to handle secrets. This incident is a telling example that cybercriminals are now actively targeting their victims’ CI/CD pipelines that become prevailing in a corporate environment, whilst being largely underprotected due to the novelty and comparative complexity of the technology. We should expect more similar attacks in 2023.”
“Okta’s breach is galvanizing of the perspective that CI/CD (along with git repos for code), have become the new target upstream of organizations. Getting access to these systems gives an APT group the benefit of having “early access” to their targets and research vulnerabilities (such as obviously flaws in code), secrets (such as hardcoded creds in scripts), or misconfigurations (such as obvious anti-patterns in configurations).
“In general, things like MFA should really be used on as many systems as possible-including git commits and other pushes! With this setup, on almost every major action (like commits), there is less opportunity for attackers to push malicious code or backdoors, even if they have credentials. With MFA fatigue being a new factor, the more critical the application or system, the more hardened the MFA should be. OTP, Mobile push, SMS, and other weaker methods shouldn’t be used in favor of stronger authentication methods like FIDO2.
“Okta had previously been breached by Lapsu$, with a whole episode of them showing off their access, so there should obviously be some concern from consumers with the current instance. With services like Okta being critical to enterprises, it should be no shocker that attackers will continue to target the “security” provider. Who watches the watchmen? One last key point, Okta did not disclose this issue right off the bat, so who is to say there are not other issues in the background that are currently not “bubbled up” to customers?
“Okta and other security providers are a critical part of the application ecosystem for enterprises and for the most part the service(s) they offer are important. We have to maintain an assumed breach model (via tabletops, Red Team engagements, or other approaches) with a focus on security in depth with layers. There is no “silver bullet” in security so it’s critical to design our enterprises to be resilient and make sure that each step of the kill chain adds more complexity for attackers!”
This continues an awful year for Okta in terms of cybersecurity, adding to high-profile issues in March and September. While these events appear to be disconnected, it seems possible that the breaches could be part of a larger event, foreshadowing a significant supply chain attack for organizations reliant upon Okta for identity and access services.
As an Okta customer, I would be worried about three things: 1) Is there a fundamental problem with how Okta is managing their environments? 2) Has the Okta platform been somehow compromised that would threaten my operation? 3) What, if anything, can I do quickly to minimize or mitigate the risk to my organization?
How Okta responds to this event and reassures its customers will set the tone for 2023 and may be telling about Okta’s future as the premier provider in this space.
Firstly, I applaud that Okta has not tried to cover this incident up, it shows a high level of maturity and ownership.
I imagine that whoever was able to gain access to the source code is now reviewing that code for security related issues. If history has taught us anything is that writing secure code is very difficult, it’s also proven difficult to secure the hosting and management of code.
Moving forward, I would implore all code creators to secure access to their code and their repositories, it might sound obvious but following the principle of least privilege and defence in depth is as important now as it’s ever been.