Okta source code stolen in GitHub hack

It's been a rough year for the security provider

Hackers also stole source code from Okta subsidiary Auth0 earlier this year

Image:
Hackers also stole source code from Okta subsidiary Auth0 earlier this year

Security provider Okta has been breached, with attackers apparently stealing the company's source code.

Source code theft is no joke, especially when it comes to security products. Okta is a prominent provider of authentication services, and while user data is probably more valuable by itself, criminals could use Okta's source code to find hidden vulnerabilities and launch further attacks against customers.

The company says hackers breached its GitHub repositories earlier this month, according to a 'confidential' notification the company has emailed to its 'security contacts'. BleepingComputing confirmed the notification was genuine.

David Bradbury, Okta's Chief Security Officer, said in the message that no customer data was affected, including data belonging to "HIPAA, FedRAMP or DoD customers" - that is, US-based healthcare, government and defence sector organisations.

Bradbury notes that GitHub alerted Okta about "possible suspicious access" to its code repositories in early December. Okta investigated and concluded that the access had been used to copy said repositories. However, there was no unauthorised access to the Okta service itself, or to customer data.

"Okta does not rely on the confidentiality of its source code for the security of its services," Bradbury added, clearly hoping to quell justifiable concerns.

At the time of writing the breach appears to be limited to Okta's Workforce Identity Cloud product, not Auth0 Customer Identity Cloud.

Bradbury ended by highlighting Okta's "commitment to transparency". The company is due to publish a statement about the incident later today.

To: Security Contacts

I would like to share context and details around a recent security event. Please note: We have confirmed no unauthorized access to the Okta service, and no unauthorized access to customer data. There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No customer action is required and the Okta service remains fully operational and secure.

In early December 2022, GitHub alerted Okta about possible suspicious access to Okta code repositories. Upon investigation, we have concluded that such access was used to copy Okta code repositories.

Our investigation concluded that there was no unauthorized to the Okta service, and no unauthorized access to customer data. Okta does not rely on the confidentiality of its source code for the security of its services.

As soon as Okta learned of the possible suspicious access, we promptly placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications.

We have since reviewed all recent access to Okta software repositories hosted by GitHub to understand the scope of the exposure, reviewed all recent commits to Okta software repositories hosted with GitHub to validate the integrity of our code, and rotated GitHub credentials. We have also notified law enforcement.

Additionally, we have taken steps to ensure that this code cannot be used to access company or customer environments. Okta does not anticipate any disruption to our business or our ability to service our customers as a result of this event.

Note: The security event pertains to Okta Workforce Identity Cloud (WIC) code repositories. It does not pertain to any Auth0 (Customer Identity Cloud) products.

We have decided to share this information consistent with our commitment to transparency and partnership with our customers.

An insecure year

Okta has had a bumpy year when it comes to security, starting in January with a breach tied to ransomware gang Lapsus$ - although the company didn't disclose the breach until March. It later admitted that delaying the announcement had been a 'mistake' - but added that the breach had been at a third-party supplier, Sitel, rather than within its own network.

In April Okta said the January breach had lasted for '25 consecutive minutes', and downgraded the extent of the impact: it was limited to just two customers.

However, the issues didn't stop there. In September hackers breached Okta subsidiary Auth0, targeting the company's source code - a similar modus operandi to today's incident.