Dive Brief:
- Okta on Wednesday confirmed its source code repositories were accessed and copied by an unauthorized party on GitHub earlier this month.
- An investigation concluded customer data was not accessed and the Okta service remains uncompromised, the identity and access management platform said in a blog post.
- The threat actor accessed code related to the Okta Workforce Identity Cloud, the company’s security offering for enterprises. Products related to Auth0, which Okta acquired in 2021, are not impacted, the company said.
Dive Insight:
This marks the third major security incident to hit Okta this year. The company has more than 14,000 customers and at least 7,000 integrations with cloud, mobile, web and IT infrastructure providers, according to its annual report.
Okta earlier this year initially denied then later admitted it was breached by the extortion group Lapsus$. The group gained access to Okta data through a third-party vendor, then published screenshots months later to boast of the exploit and goad Okta’s response.
In August, Okta was one of 163 Twilio customers impacted by an expansive phishing attack.
That campaign, dubbed Oktapus by researchers at Group-IB, compromised 10,000 credentials across 136 organizations. Some of those included Okta identity credentials and one-time authentication codes.
In the latest incident, Okta downplayed the impact of the theft of code repositories on GitHub.
“Okta does not rely on the confidentiality of its source code for the security of its services,” an Okta spokesperson said in a statement. “This event does not impact any other Okta products, and we have been in communication with our customers.”
The company said it temporarily restricted access to the GitHub repositories and suspended GitHub integrations with third-party applications to review all recent commits to Okta repositories and validate the integrity of its code. GitHub credentials were also rotated, the company said.
“Source code has been a common target for threat actors for years,” Zaid Al Hamami, founder and CEO at DevSecOps startup BoostSecurity, said via email.
“Even though losing the source code does not directly imply that customer account breaches have occurred, attackers can go on to scan the code for additional vulnerabilities, tokens or insights that could lead to further breaches in the development and/or the production environment,” he said.
