from Hacker News

Okta: “We made a mistake” delaying the Lapsus$ hack disclosure

by chockchocschoir on 3/27/22, 11:12 AM with 63 comments

  • by the_duke on 3/27/22, 2:17 PM

    There are so many red flags here, it's not even funny anymore.

    * a third party has barely restricted, deep access to all customer data

    * the "SuperUser" app can apparently have logged in users idling around in a VM, waiting for someone to come along and use it without any automatic logout and re-authentication

    * a single account accessing 300+ customers in a few days doesn't trigger any alerts

    * they detect a compromise, and do absolutely nothing about it for months, except letting the third party order a security audit; they patiently wait for a report; they don't even audit the access logs

    * only a screenshot posted online triggers an audit of access logs and a public response

    * they still try to blame the third party and the security firm for their own (basically outrageous) inactivity

    All of this by a company entrusted with the most critical gatekeeping functionality of systems, used by many large enterprises and expected to have top notch security.

  • by GordonS on 3/27/22, 12:58 PM

    They blatantly lied. A third-party auth provider, where trust is absolutely crucial, and they lied about being breached. Repeatedly.

    And even now, they are not coming out and being honest like "we lied because we were scared about liability, but the person behethis decision has been fired". It's not good enough.

    Sorry, but they have some serious work to do if they want to regain that trust. I for one, will not be using their services again.

  • by politelemon on 3/27/22, 1:01 PM

    It's been frustrating dealing with their constant double speak and contradictions in their blog posts. The worst example was them saying that it's not a breach and then showing how they've been breached by the very definition of the term.

    The only rational reason I can come up with for this duplicitous talk is for the shareholders; with this double speak they can reduce just how much their shares fall. I'm not on a high horse, I'm positive that most of our orgs was do the same thing.

    And I'm not surprised that they're just like all other large companies that choose money/PR over accuracy. What is maddening is that they made it so hard to zero in on required information to help us assess risk; they're at the center of a lot of security workflows, and accurate information is more critical from them than it is from others.

    I fear for Auth0 and what it ~~may~~ will become under Okta's 'culture'.

  • by TechBro8615 on 3/27/22, 12:52 PM

    Is it really fair to call it a “delayed disclosure” if the people who disclosed it were the sixteen year old chavs who popped your billion dollar security business? Are we supposed to believe that Okta would have disclosed this in due time anyway, regardless of whether the teenagers who broke into their system posted screenshots of it on Twitter?

  • by anotherhue on 3/27/22, 12:15 PM

    We pay them exorbitant costs so that they don't make these mistakes. How dare they outsource my security when I'm paying them a premium not to.

    I am a very unhappy customer who is very interested in Keycloak.

  • by Decabytes on 3/27/22, 11:51 AM

    I’d be much more understanding if

    1. They didn’t try to downplay the leak

    2. Didn’t double down on the leak not being a big deal later

    3. Didn’t specialize in authentication and security

  • by notreallyserio on 3/27/22, 1:11 PM

    It's crazy to me that David Bradbury is still shoving Sitel under that bus instead of claiming responsibility for his failure. Is he hoping for a golden parachute here or is the organization so rotten that they cannot admit fault?

  • by bogomipz on 3/27/22, 3:59 PM

    Is there a reason a Okta needs to contract with a third party provider for support? I mean their entire business is security. Is this just penny-pinching or is there a legitimate reason that a publicly traded company can't provide their own support staff?

    This whole thing is like an exercise in plausible deniability, corporate double-speak, blame shifting and arrogance.

  • by lemoncookiechip on 3/27/22, 12:33 PM

    > "We made a mistake"

    You could even say, they had a lapse of judgment. Sorry for the pun.

  • by duped on 3/27/22, 2:48 PM

    What of the rumors about AWS keys being leaked through slack channels that the support account had access to?

    That was plastered all over the HN and reddit threads a few days ago, no mention of it from Okta yet. Did that turn out to be bogus?

  • by anonymoushn on 3/27/22, 2:34 PM

    At this company, a VP eng/CTO type person asked me how I would handle a situation where my teammate was underperforming. I am pretty sure that I failed this interview section and the whole interview loop because the company value of transparency meant that I should have said I would publicly humiliate the person instead of beginning by speaking to them privately.

  • by sylware on 3/27/22, 11:34 AM

    BTW, nvidia is going open source driver or Lapsus did release the code of the hardware and software?

  • by sofixa on 3/27/22, 12:25 PM

    That "mistake" will cost them under GDPR and from lost customer trust.

  • by thedougd on 3/28/22, 1:12 AM

    I wonder if their radius agent still includes all the dev and test time libraries. It use to, or may still include jars related to Maven and JUnit. Not confidence inspiring.