Even if you aren't familiar with Okta, you've probably used it. The digital login system is used by thousands of companies across the world to manage employee logins to various cloud services. Which makes it a real problem when that system, and all that login info, gets hacked.
This week on Gadget Lab, WIRED senior writer Lily Hay Newman joins the show to tell us about the group behind the recent Okta hack, how the hackers took control of such a vast system, and what happened in the aftermath.
Show Notes
Read all of Lily’s stories about Lapsus$ and the Okta hack. This episode was recorded and scheduled shortly before news broke that two teenagers in the UK have been charged in connection with the hacks.
Recommendations
Lily recommends setting up two-factor authentication on all your services. (Here’s how!) Mike recommends the podcast Poog with Kate Berlant and Jacqueline Novak.
Lily Hay Newman can be found on Twitter @lilyhnewman. Michael Calore is @snackfight. Lauren Goode is @LaurenGoode. Bling the main hotline at @GadgetLab. The show is produced by Boone Ashworth (@booneashworth). Our theme music is by Solar Keys.
How to Listen
You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here's how:
If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts, and search for Gadget Lab. If you use Android, you can find us in the Google Podcasts app just by tapping here. We’re on Spotify too. And in case you really need it, here's the RSS feed.
Transcript
[Gadget Lab intro theme music plays]
Michael Calore: Hi, everyone. Welcome to Gadget Lab. I'm Michael Calore. I'm a senior editor here at WIRED. Lauren Goode is out this week. She will be back next time, but joining me today is WIRED senior writer Lily Hay Newman. Hi Lily.
Lily Hay Newman: Hello. I'm happy to be here.
Most PopularGearThe 15 Best Electric Bikes for Every Kind of Ride
Adrienne So
GearThe Best Lubes for Every Occasion
Jaina Grey
GearThe iPhone Is Finally Getting USB-C. Here’s What That Means
Julian Chokkattu
Gear11 Great Deals on Sex Toys, Breast Pumps, and Smart Lights
Jaina Grey
MC: Well, thanks for being here. It's just the two of us this week, so hopefully we can keep things interesting for everybody.
LN: I know, I feel Lauren's absence keenly.
MC: I'm alone in a room with the producer, so I do as well. Lily, we wanted to have you on this week because you just wrote a series of big stories for WIRED about the recent hack of the digital identity provider Okta and the group of hackers who claimed responsibility, a group that calls itself Lapsus$, that's L-A-P-S-U-S $.
LN: Obviously.
MC: Obviously. We hear a lot of stories about corporate hacking, ransomware attacks, and data breaches. And while all of those stories are concerning, for sure this particular hack is especially troubling, because the target, Okta, is a service that thousands of businesses and organizations use to manage their employees' logins to their various cloud services. Now, we have you on the show this week to walk us through the timeline here and to help us get a sense of the scope of this hack. So in order to better understand all of that, I want to start by talking about the target. We use Okta here at WIRED every day, and many of our listeners are deeply familiar with it, but for those who aren't, can you tell us what is Okta?
LN: Yeah. So Okta is, as you said, an identity management platform. Basically the concept is, if you're a business and your employees need to use lots of different cloud platforms and services to do their jobs, so, right? There's email, but then there's also, let's say, inventory tracking or billing or whatever, all sorts of logistics of your company, and the digital tools that the employees are using. If everyone of those has a different login and all your employees are managing tons of usernames and passwords, or even worse, they're sharing logins, usernames, and passwords, it's going to be easier for someone to hack into those accounts—and not even really hack, but phish or even guess the passwords, things like that. And if you try to add what we call multifactor authentication, like a code generating app, so you put in your username and password and then you have to produce the code, or like a physical authentication dongle, where you have to plug something in.
If you try to add that on top—which is a good practice, right? To secure all of those different accounts, it's just too much for employees to deal with. And think about a university with students, right? Like, this is just very complicated, and therefore very insecure, because people are going to do whatever makes it easier for them. So a service like Okta is centralizing all the logins for all sorts of different services that are not connected, are not developed by the same company, whatever it is, and putting them all behind this one login portal. So all you need is your Okta credentials, and then you can get into everything you need and not have to juggle 12 different things.
Most PopularGearThe 15 Best Electric Bikes for Every Kind of Ride
Adrienne So
GearThe Best Lubes for Every Occasion
Jaina Grey
GearThe iPhone Is Finally Getting USB-C. Here’s What That Means
Julian Chokkattu
Gear11 Great Deals on Sex Toys, Breast Pumps, and Smart Lights
Jaina Grey
MC: Yeah. Like, we don't even call it Okta. We just call it Single Sign-On because that's the way it performs for us.
LN: Exactly.
MC: So how many companies are on Okta? Like, how many companies use it?
LN: Okta says it has more than 14,000 customers. So a lot of people, a lot of organizations, a lot of layers of dependency on this. It's all hinging on this one point.
MC: And now, please tell us what was the hack? What did Lapsus$ do to Okta?
LN: So what actually happened is not only a direct hack of Okta. Like many companies, Okta works with a number of partners to help manage its enterprise, like process data, their contractors basically, and Okta calls them subprocessors. But because a company like Okta is so critical, and it's dealing with such sensitive information—it's such a sensitive mechanism is what I'm trying to say—they don't have a lot of subprocessors. It's only about a dozen, and they're all sort of big names—AWS, things like that—who they're working with. But one of them is actually the organization that was first compromised to get to a privileged Okta account. So it's sort of like a two-step process to get there. And that organization is called Sitel, and particularly a division that Sitel acquired, called Sykes.
So the hackers targeted an employee within Sykes Sitel who had privileged access to do customer service and deal with Okta clients and data. And they compromised that account. And in doing so, that means even though a trove of passwords wasn't directly compromised, you're getting a lot of privileges, right? A lot of power from that account, because, for example, that account was empowered to reset passwords and reset multifactor authentication. So even though you didn't know what the old password was necessarily, and they're not just accessing like a plaintext list of everybody's password at 14,000 companies or something like that, the account was giving the attackers the ability to say, “OK, well, I don't care, because I'm just going to set a new password, and I'm going to remove this multifactor authentication and set my own multifactor authentication” or whatever it is.
And so that is the danger, and why this was such a massive revelation, because as we'll talk about, Lapsus$ has also compromised a lot of other big companies. Okta and Sitel are not alone, but there's sort of this additional significance and this additional potential risk for Sitel and Okta because of Okta's position within so many other companies.
MC: Yeah. Can you tell us more about Lapsus$? How long have they been aroun,d and how did they come to our attention?
LN: The group is very interesting. They have a very chaotic energy. They emerged at least in the form that we now know them in December. And in just a few months, they've just been on this rampage, this tear, and ramping up the size and significance of the organizations they're targeting. So they started out targeting like media companies, some ecommerce sites—big companies in themselves, it's not to diminish it. Some in South America, some in the UK, a little bit across Europe, but then just sort of took a huge leap at some point to start grabbing data from companies like Nvidia and Samsung, and obviously it's kept escalating to Okta. But also the same day that they announced or sort of leaked screenshots indicating that they had this sort of compromise of Okta, they also started dumping source code stolen from Microsoft related to Bing, Bing Maps, and Cortana.
Most PopularGearThe 15 Best Electric Bikes for Every Kind of Ride
Adrienne So
GearThe Best Lubes for Every Occasion
Jaina Grey
GearThe iPhone Is Finally Getting USB-C. Here’s What That Means
Julian Chokkattu
Gear11 Great Deals on Sex Toys, Breast Pumps, and Smart Lights
Jaina Grey
These leaks weren't the entire source code of all three of those products, but like significant revelations about all three. Typically we would think like, Oh, it's a ransomware group, right? Because that's a lot of what we've all been hearing about lately. Like, big companies being targeted by hackers who get malware into their networks, and that malware encrypts all the data. And then the hackers say, “If you pay us a ransom, we'll give you the decryption key.” Right? That's not really what Lapsus$ is doing. Lapsus$ has not been seen deploying encryptors. Instead, all they're doing is getting into companies, finding the most sensitive, wild stuff they can, exfiltrating the data, and then saying to the companies, “OK, we have this. Pay us so we won't release it.” And so it's extortion.
Lately, ransomware actors have been kind of combining these two techniques, and they'll do ransomware, like encrypting all the data plus extortion. So it kind of like layers, the pressure to try to get the victims to pay up, but Lapsus$ isn't doing that. And it's pretty interesting because it seems like they are financially motivated, but it's kind of complicated by the fact that they don't seem to be maximizing profits or attempting to maximize their profits in the way other threat actors have been lately.
MC: So early on in this saga, security researchers were suggesting that maybe Lapsus$ was a state-sponsored group or had some sort of political motivation. Have we learned anything at all about their identity?
LN: Yeah. It is a great question. And it's sort of the $64,000 question right now. Lapsus$ has been so successful—that's air quotes or scare quotes “successful,” right? Obviously this is all criminal and bad activity, because they're not to be too impressed, but they've hit such high-profile targets and successfully infiltrated them that I think it was reasonable that people were saying just like, "Who are these people?" Like, "Who is this group? And is it state sponsored, or … ?" But so far researchers really haven't seen evidence of that. And repeatedly they've come to the conclusion that they are teens or like very inexperienced, and having youthful enthusiasm and optimism. It is still not totally clear. At first, it seemed like maybe the group was totally based in South America, or perhaps led by folks in Brazil, maybe there's a UK component.
Now it's a lot less clear. They definitely could have members in multiple places. They do not seem to be a traditional Eastern European or Russia-based group, at least based on all the research so far. There were some teens who were arrested in the UK potentially in connection with Lapsus$, but they have all been released. So currently it's a bit unclear, but again and again, the researchers have just converged on this idea that it seems like it is sort of an inexperienced, but clearly talented and motivated group. I mean, it's not to diminish or sort of disparage. It's just like, that's what seems to be the deal, that they are just loving this joy ride and just going nuts.
Most PopularGearThe 15 Best Electric Bikes for Every Kind of Ride
Adrienne So
GearThe Best Lubes for Every Occasion
Jaina Grey
GearThe iPhone Is Finally Getting USB-C. Here’s What That Means
Julian Chokkattu
Gear11 Great Deals on Sex Toys, Breast Pumps, and Smart Lights
Jaina Grey
MC: All right. Let's take a quick break and we'll be right back.
[Break]
MC: Lily, can you briefly tell us the mechanics of how this hack worked? Like, how the group compromised the account at the subprocessor?
LN: So details are still emerging. We don't have a totally complete picture. Definitely, the crux of it is as we described, that an employee or maybe a couple of employees were targeted by Lapsus$ because Lapsus$ suspected that they had this access that they wanted, but what we don't really know is exactly what the path was. This breach happened at the end of January, and at the time, Sitel did send a breach notification and sort of a series of customer communications to their customers, which would include Okta. And in it, they mentioned some other compromises, like that maybe their VPN service was compromised. And so maybe that's how the attackers got in. Was it that or was it was sort of more directly targeting the Okta account itself from the start? A question we could ask ourselves is, well, wasn't there multifactor authentication on those accounts? Right?
Like, did they just sort of get into someone's VPN account? Maybe it was by exploiting a vulnerability, but maybe it was by grabbing credentials. Lapsus$ does seem to use phishing as their primary tactic. You can get pretty far by being a very skilled phisher. We've seen this in a lot of different types of cyber crimes. So if that's the case, it brings up this point that multifactor authentication, as it's currently deployed, can sometimes still be compromised or defeated. If you're using the type of multifactor authentication where you use like a code-generating app, right? Authy or Google Auth or various apps, where you sort of link all your accounts to it. They're not really linked. It's just to generate codes.
MC: Sure. It gives you a one-time password.
LN: Thank you. Exactly.
MC: It's usually like a six digit code. It changes every 20 seconds.
LN: Exactly. You know the one. I hope all our listeners know what we're talking about, because they have it on their devices. Anyway, one thing attackers can do is they can do things like making landing pages that look like real login pages, whether it's Netflix or Google or Sitel or whatever, Okta, and it looks real. And so you go to log in and you put in your code because you're expecting this page to ask you for the code. So you're not suspicious, because you're like, “Yeah, that's how I log into stuff.” But then it's not your real login page. It's an attacker-controlled page, and they grab the code, and then they very quickly, in real time, go and log into your account for real. And something that works well for them about that is then if you get an email that's like “suspicious login attempted,” you might not pay too much attention to it.
Most PopularGearThe 15 Best Electric Bikes for Every Kind of Ride
Adrienne So
GearThe Best Lubes for Every Occasion
Jaina Grey
GearThe iPhone Is Finally Getting USB-C. Here’s What That Means
Julian Chokkattu
Gear11 Great Deals on Sex Toys, Breast Pumps, and Smart Lights
Jaina Grey
If you read that warning really closely, you might see like, well, wait, I'm not in Argentina or I'm not in Brazil or I'm not in the UK right now. So why is the login from there? But if you're not really paying attention, you may not think much of it, because you did just log in. There's a whole area there that they can kind of capitalize on, but there are other ways to do it too. They can do it with social engineering, where you're sort of trying to manipulate someone's behavior or trick them. People think they're talking to a customer service representative and they say, “OK, log into your account. And then just give me the code. I just need the two-factor authentication code.” And sometimes if someone is very sure of themselves and confident and they kind of sell it, they say it in a way that feels like it makes sense, even though it doesn't actually make sense, you might just do it. Anyway, all of these are different ways that attackers can try to defeat multifactor authentication, and it seems like something like that may have played a role here.
MC: It really underscores the fact that a lot of hacking isn't code, it's hacking humans and hacking human behavior.
LN: Definitely.
MC: So you mentioned that these events occurred at the end of January. How come we're just finding out about them now at the end of March?
LN: I'm so glad you asked that. I am also curious about that. At the beginning of all of this, a few days before, Sitel realized that something was wrong and sent all these communications to their customers. Okta had in fact notified Sitel of a suspicious MFA prompt and a suspicious login on one of these empowered Okta accounts that was being used by someone at Sitel to do the subprocessor work. We don't know the extent of the communication at that time, but they were at minimum aware that there was some type of something, and then five or six days later, they would've gotten this customer communication from Sitel saying actually something did happen. We do have a bit of a problem. So yeah, it's unclear why at the time, everyone wasn't all over this, but maybe they were. We haven't really gotten the full story from either company about the exact breakdown of events.
Sitel said, well, we've engaged this firm, which is Mandiant, the incident-response firm Mandiant. And they declined to comment to WIRED, just for what it's worth, but we did reach out to them. And we engage them and they're going to do their investigation. And then we'll see what the results of that are. So then that's a lot of the time you're looking at, like the February and first week of March or something was that investigation. But then on March 17th, Okta has said publicly that they received that report. I published a story about that. There was a leak that showed one of Sitel's customer communications from January and also showed the timeline that Sitel released that seemingly was either produced by Mandiant or based on the investigation that Mandiant did.
Most PopularGearThe 15 Best Electric Bikes for Every Kind of Ride
Adrienne So
GearThe Best Lubes for Every Occasion
Jaina Grey
GearThe iPhone Is Finally Getting USB-C. Here’s What That Means
Julian Chokkattu
Gear11 Great Deals on Sex Toys, Breast Pumps, and Smart Lights
Jaina Grey
That timeline is very concerning. Like, if I were reading that as an executive of a company that works with this other company that got breached, the red flags, the warning bells would just be flying and going off everywhere, because it shows that something major was going on, that the attackers were using well-known, very off-the-shelf, widely available hacking tools to move within the network, gain deeper access, vacuum up passwords—classic stuff that it doesn't take a huge amount of technical knowledge to recognize.
What's really unclear is after that March 17th report came out, Okta says that they weren't really fully focusing on this until Lapsus$ itself posted screenshots and announced to the world that they had done this on March 21st. And Okta has finally said after a lot of pressure from WIRED and the press that maybe they were a bit slow in reacting once they got that report on March 17th. But that's all we know so far. And we're still waiting to hear more from the two companies.
MC: You talked a little bit about the Lapsus$ group communicating with the rest of the world. They have a Telegram channel. And for people who maybe aren't familiar with Telegram and how it works, can you tell us what goes on there and how Lapsus$ communicates?
LN: Yeah, this is another fun … I mean, again, I have to keep reminding myself and everyone, it's not really fun. This is really unacceptable criminal behavior. But it's just kind of wacky or whatever. And so it kind of fits with this Lapsus$ persona of, like, the joy ride of their lives or whatever's going on. So yes, they have a Telegram channel. Telegram is a communication platform that bills itself as being very secure, but the thing that's really exploded about Telegram as you're describing is the channels. These are open public channels that anyone can join. And it's just sort of this brain feed of an entity in this case, Lapsus$ talking to an audience, and then people can comment and kind of participate.
This is where they do everything. They announce their new compromises, their new victims, they share screenshots, they share links to data troves, their actively engaging with the public about their criminal activity and leaking data. And it's kind of a wild ride. If you follow the Telegram channel, you get notifications from Lapsus$ at all hours of the day and night about what they're up to and what they're thinking.
MC: All right. Well, that feels like a good place to end it. Let's take a quick break, and when we come back, we'll do our recommendations.
[Break]
MC: All right, let's switch gears a little bit; we're not going to talk about hacking anymore. We're going to do our recommendation segment, where we have our guest and then our hosts talk about all of the things that they want our listeners to check out. So Lily, you get to go first. What is your recommendation?
Most PopularGearThe 15 Best Electric Bikes for Every Kind of Ride
Adrienne So
GearThe Best Lubes for Every Occasion
Jaina Grey
GearThe iPhone Is Finally Getting USB-C. Here’s What That Means
Julian Chokkattu
Gear11 Great Deals on Sex Toys, Breast Pumps, and Smart Lights
Jaina Grey
LN: I have a recommendation, and then I have an admission of guilt.
MC: Let's do that first. That sounds like fun.
LN: OK. The thing I wanted to share with the group and kind of get off my chest is that the last time I came on the Gadget Lab podcast, I shared incorrect information, and it has been eating at me ever since. So I just want to set the record straight. My entire recommendation was a sham because I recommended upgrading from an iPhone 6S, for those of us who were still on an iPhone 6S, because I thought that you couldn't run iOS 15 on an iPhone 6S. But it turns out that was wrong. And you actually can, which is like kind of wild and mind-blowing. And I'm not exactly sure at what point in the communication stream that broke down for me, but I just wanted everyone to know that I was wrong about when the iPhone 6S was not going to be supported anymore for iOS. Nonetheless, I did do a massive life-altering phone upgrade to an iPhone 8.
MC: Nice. And I'm sure, like, regardless of what software support is on it, I'm sure the camera's better, the screen is better, there's a lot probably better about it, right?
LN: Most of all, people had always said that the battery life on the iPhone 6S was not good. Wow. I can confirm that is like the biggest change. I mean, that … Wow. Anyway.
MC: Yeah, nothing like a fresh battery.
LN: In the morning.
MC: In a brand new phone, in the morning.
LN: OK. So thank you, now my conscience is clear. I feel a lot better. My recommendation for today, because we spent all that time talking about ways that attackers can subvert or circumvent multifactor authentication, my recommendation nonetheless is multifactor authentication—because it's actually good. And even though we all say until the end of time that there is no perfect security and no silver bullet in security, adding that extra factor of authentication really does go a long way toward cutting down on the number of attacks or the types of attacks that could be successful against your accounts. So even though there are these specific situations, or there's still some social engineering that can work, sometimes overall, it's way better, use your code generating apps, use the prompts. It's still way better than just to use your name and password alone.
MC: I agree. And I would recommend that everybody turn it on for every service that supports it. Like Twitter and Instagram and Facebook and any social channels where you hang out—more often than not, they're going to support 2FA or MFA. Banking apps in particular, anything involving money, lock it down.
LN: Yes. Love it. So Calore, what is your recommendation today?
MC: I'm going to recommend a podcast. It's a podcast I've been listening to on and off for the last three months. And it's been really great lately. It's called Poog, which is Goop spelled backwards.
Most PopularGearThe 15 Best Electric Bikes for Every Kind of Ride
Adrienne So
GearThe Best Lubes for Every Occasion
Jaina Grey
GearThe iPhone Is Finally Getting USB-C. Here’s What That Means
Julian Chokkattu
Gear11 Great Deals on Sex Toys, Breast Pumps, and Smart Lights
Jaina Grey
LN: Oh.
MC: Yeah. And I can't remember if I've recommended this on the show before, but I can definitely recommend the last couple of episodes, because they've been really off the hook. It's hosted by two women, Kate Berlant and Jacqueline Novak. And the premise is that it's a show about the wellness industry. So they talk about health and beauty and diet and massage and fashion and things like that. But it's really, it's just two friends with a lot of opinions talking for 45 minutes to an hour. And just like so many shows that are like that, with really good, dynamic hosts who are very funny, it's a great hang. So when you listen to it, you kind of feel like you've spent some time with these people. And you've really like gotten to know them as people. And they're always surprising and funny, and they always have good advice for each other that does not necessarily always apply to you, but it's just fun to hear their dynamic and listen to them talk about it.
I also just love that they can go on 15- to 20-minute rants about things like moisturizing lotion or the material that you make socks out of, or leggings. So it's a great show from a product criticism perspective, which is what initially hooked me. But I keep coming back to it. Poog.
LN: I specifically want to know their thoughts on sock materials. You pulled me right in there.
MC: I'd have to dig back. I do remember there was one conversation about how restaurants should stop using white cloth napkins because most people, when they go out, they wear black or they wear dark colors, and you put a white cloth napkin on your lap, and then you have like white fuzz all over you on date night, and that's not flattering.
LN: Yeah. That's a good point. I thought you were going to say bib style, tuck it right into your shirt. And it's just not that flattering.
MC: I mean, I think you need like a plastic one with a lobster on it if you're going to do that and really make it work.
LN: Yeah. That would be positive for me.
MC: All right. Well Lily, thanks for joining us, and thanks for your recommendation and your mea culpa. And of course, thanks for taking us through the Lapsus$ saga so far.
LN: Yeah. Thanks so much for having me. Everybody turn on 2FA.
MC: 2FA. And thank you all for listening. If you have feedback, you can find all of us on Twitter. Just check the show notes. This show is produced by Boone Ashworth. Lauren and I will be back next week with a new show. Until then, goodbye.
[Gadget Lab outro theme music plays]
More Great WIRED Stories📩 The latest on tech, science, and more: Get our newsletters!Jacques Vallée still doesn’t know what UFOs areWhen should you test yourself for Covid-19?How to leave your photos to someone when you dieTV struggles to put Silicon Valley on the screenYouTube's captions insert explicit language in kids' videos👁️ Explore AI like never before with our new database🎧 Things not sounding right? Check out our favorite wireless headphones, soundbars, and Bluetooth speakers