support.okta.com
Open in
urlscan Pro
161.71.42.219
Public Scan
URL:
https://support.okta.com/help/s/article/Frequently-Asked-Questions-Regarding-January-2022-Compromise?language=en_US
Submission: On March 31 via api from US — Scanned from GB
Submission: On March 31 via api from US — Scanned from GB
Form analysis 0 forms found in the DOM
Text Content
Loading
×Sorry to interrupt
CSS Error
Refresh
Skip to NavigationSkip to Main Content
For more information and frequently asked questions regarding the January 2022
compromise, read more
×
LanguageSelect Language
Documentation
Documentation
Release notes
Product documentation
Developer documentation
Knowledge base
Community
Community
Home
Discussions
Questions
Ideas
Webinars
Blog
Product
Product
Roadmap
Betas
Product hub
Training
Announcement
Sign in
System Operational
Welcome to the Okta Community!
The Okta Community is not part of the Okta Service (as defined in your
organization’s agreement with Okta). By continuing and accessing or using any
part of the Okta Community, you agree to the terms and conditions, privacy
policy, and community guidelines
I agree
Not nowContinue
SearchLoading
Help Center > Knowledge Base
FREQUENTLY ASKED QUESTIONS REGARDING THE JANUARY 2022 COMPROMISE
MAR 31, 2022•KNOWLEDGE ARTICLE
INFORMATION
Content
MARCH 25, 2022
GENERAL INFORMATION AND TIMELINE
WHAT HAPPENED?
On January 20, 2022, the Okta Security team was alerted that a new factor was
added to a Sitel customer support engineer’s Okta account. This factor was a
password. Although that individual attempt was unsuccessful, out of an abundance
of caution, we reset the account and notified Sitel, a third-party vendor that
helps us provide customer support, and Sitel engaged a leading forensic firm to
perform an investigation.
The following timeline outlines the key milestones relating to the January
incident:
Timeline (times in UTC)
* January 20, 2022, 23:18 | Okta Security received an alert that a new factor
was added to a Sitel employee’s Okta account from a new location. The target
did not accept an MFA challenge, preventing access to the Okta account.
* January 20, 2022, at 23:46 | Okta Security investigated the alert and
escalated it to a security incident.
* January 21, 2022, at 00:18 | The Okta Service Desk was added to the incident
to assist with containing the user’s account.
* January 21, 2022, at 00:28 | The Okta Service Desk terminated the user’s Okta
sessions and suspended the account until the root cause of suspicious
activity could be identified and remediated.
* January 21, 2022, at 18:00 | Okta Security shared indicators of compromise
with Sitel. Sitel informed us that they retained outside support from a
leading forensic firm.
* January 21, 2022 to March 10, 2022 | The forensic firm’s investigation and
analysis of the incident was conducted until February 28, 2022, with its
report to Sitel dated March 10, 2022.
* March 17, 2022 | Okta received a summary report about the incident from
Sitel.
* March 22, 2022, at 03:30 | Screenshots shared online by LAPSUS$
* March 22, 2022, at 05:00 | Okta Security determined that the screenshots were
related to the January incident at Sitel.
* March 22, 2022, at 12:27 | Okta received the complete investigation report
from Sitel.
FAQS
WHY DO WE THINK THIS IS CONSTRAINED TO THESE FIVE DAYS?
WE ARE CONFIDENT THAT THE ACTIVITY WAS CONSTRAINED TO THIS FIVE-DAY PERIOD
BECAUSE THE FORENSIC REPORT FROM SITEL’S VENDOR (A LEADING FORENSIC FIRM)
CONFIRMED THIS TIME PERIOD, AND WE VERIFIED THE TIME PERIOD BY REVIEWING OUR OWN
LOGS.
OKTA REFERENCES A JANUARY 20 DATE WHEN OKTA SECURITY NOTICED THE ATTACKER, BUT
WHAT HAPPENED FROM JANUARY 16 THROUGH JANUARY 20?
THE FIVE-DAY WINDOW WAS PART OF THE CONCLUSION REACHED IN THE FORENSIC REPORT BY
A LEADING FORENSIC FIRM THAT SITEL COMMISSIONED. THIS IS CONSISTENT WITH THE
ACTIVITY OKTA DETECTED ON JANUARY 20, AS WELL AS THE SCREENSHOTS PROVIDED BY THE
THREAT ACTORS ON MARCH 21, 2022.
ON JANUARY 20, OKTA SAW AN ATTEMPT TO DIRECTLY ACCESS OKTA USING A SITEL
EMPLOYEE'S OKTA ACCOUNT. THIS ACTIVITY WAS DETECTED AND BLOCKED BY OKTA, AND WE
PROMPTLY NOTIFIED SITEL, PER THE TIMELINE ABOVE.
OUTSIDE OF THAT ATTEMPTED ACCESS, THERE WAS NO OTHER EVIDENCE OF SUSPICIOUS
ACTIVITY IN OKTA SYSTEMS.
WHY DIDN’T OKTA NOTIFY CUSTOMERS IN JANUARY?
We want to acknowledge that we made a mistake. Sitel is our service provider for
which we are ultimately responsible.
In January, we did not know the extent of the Sitel issue – only that we
detected and prevented an account takeover attempt and that Sitel had retained a
third party forensic firm to investigate. At that time, we didn’t recognize that
there was a risk to Okta and our customers. We should have more actively and
forcefully compelled information from Sitel.
In light of the evidence that we have gathered in the last week, it is clear
that we would have made a different decision if we had been in possession of all
of the facts that we have today.
WHAT WAS THE EXTENT OF THE COMPROMISE THAT OCCURRED IN JANUARY, I.E. WHAT
DATA/INFORMATION WAS ACCESSED?
The compromise of Sitel was limited to a five-day window in January. The final
forensic report that we received from Sitel on March 22, 2022, concluded that
there was a five-day period between January 16-21, 2022, where an attacker had
access to Sitel. This is consistent with the screenshots that the threat actor
posted on March 21, 2022.
In assessing the potential extent of the compromise, it is important to remember
that by design, Sitel’s support engineers have limited access. They are unable
to create or delete users, or download customer databases. Support engineers are
able to facilitate the resetting of passwords and multi-factor authentication
factors for users, but are unable to choose those passwords. In other words, an
individual with this level of access could repeatedly trigger a password reset
for users, but would not be able to log in to the service.
As outlined in more detail in our blog, we have identified the customers that
may have been impacted, and we have already contacted them. There is no impact
to Auth0 or AtSpoke customers, and there is no impact to HIPAA and FedRAMP
customers.
WHAT DOES SUPER USER ACCESS MEAN, AND WHAT DOES IT ALLOW?
The potential impact to Okta customers is limited to the access that support
engineers have.
The “Super User” application that appeared in the screenshots is the internal
Okta support tool that enables basic support access for customer support
engineers–it is not synonymous with “superadmin.” This does not provide
“god-like access” to all its users. This is an application built with least
privilege in mind to ensure that support engineers are granted only the specific
access they require to perform their roles.
These engineers are unable to create or delete users, or download customer
databases. Support engineers do have access to limited data - for example, Jira
tickets and lists of users - that were seen in the screenshots. Support
engineers are also able to facilitate the resetting of passwords and MFA factors
for users, but are unable to obtain those passwords.
WHO WAS THE 3RD PARTY SERVICE PROVIDER?
Sykes Enterprises, Inc. (which was acquired by Sitel in September 2021) is the
third-party service provider that provides customer support engineering on
behalf of Okta. As of Saturday, March 26, we are no longer working with
Sykes/Sitel and terminated their account access.
How did Okta determine the number of customers potentially impacted?
In trying to scope the blast radius for this incident, our team assumed the
worst-case scenario and examined all of the access performed by all Sitel
employees to the SuperUser application for the five-day period during which
Sitel was compromised. We have determined that the maximum potential impact is
366 (approximately 2.5% of) customers, which reflects the total number of Okta
customers whose Okta tenant was accessed by Sitel during that time period. That
number is overinclusive because it includes all of the legitimate Sitel customer
support access during that time period.
DO YOU HAVE SPECIFIC MEANS, SUCH AS LOGS, TO DETECT WHAT, IF ANY, DATA WAS
ACCESSED OR EXFILTRATED?
Okta is actively continuing our investigation, and we are utilizing logs as well
as other data sources.
WHAT ASSURANCES EXIST THAT THE ISSUE HAS BEEN REMEDIATED BY OUR 3RD PARTY
SERVICE PROVIDER?
Sitel confirmed to Okta that they have remediated this issue.
SHOULD I RESET PASSWORDS?
We are confident in our conclusions that the Okta service has not been breached
and there are no corrective actions that need to be taken by our customers.
We are confident in this conclusion because Sitel (and therefore the threat
actor who only had the access that Sitel had) was unable to create or delete
users, or download customer databases.
Support engineers are also able to facilitate the resetting of passwords and
multi-factor authentication factors for users, but are unable to choose those
passwords.
In order to take advantage of this access, an attacker would independently need
to gain access to a compromised email account for the target user.
HOW DO I KNOW THAT MY OKTA ORG WAS NOT IMPACTED?
We have reached out to all customers who have been potentially impacted. In
addition, we have also notified non-impacted customers.
What can I do if I need more information?
Please refer to Okta’s blogs on this topic. If after reviewing these resources
you require additional information, please contact your account team.
File Attachment
Title
Frequently Asked Questions Regarding the January 2022 Compromise
Article Total View Count
18,491
URL Name
Frequently-Asked-Questions-Regarding-January-2022-Compromise
Article Record Type
Knowledge Article
Recommended articles
No recommended content found...
WebAuthn Broken on Safari 15.4
Frequently Asked Questions Regarding the January 2022 Compromise
System Log queries for attempted account takeover
Okta Ideas Overview & FAQ
Can we change the SMS number used for password recovery through API?
Results 1-5 of 1,424
Recommended questions
No recommended content found...
Update user attributes via PowerShell
Canal de Suporte no Brasil
Hiding users from the GAL after Termination OKTA won’t sync Disabled accounts to
0365 - This is becoming a huge issue in an enterprise our size.
SSO from Multiple Okta Tenants to Single Office 365 Tenant
Add extra attributes in Ultipro report template
Results 1-5 of 8,325
© 2022 Okta, Inc.
Trust
Privacy
Terms
Guidelines
Security docs
Okta.com
Try Okta for free
Get support
Can't find what you are looking for?
Ask the community
Open a case
Call us
US: 1-800-219-0964
AU: 1800 095 441
DE: 49800 723 4788
FR: 0800 914 949
NL: 0800 022 4471
UK: 0800 808 5574
Give us feedback
Loading
PRIVACY PREFERENCE CENTER
YOUR PRIVACY
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer. More information
* STRICTLY NECESSARY COOKIES
STRICTLY NECESSARY COOKIES
Always Active
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be
switched off in our systems. They are usually only set in response to actions
made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your
browser to block or alert you about these cookies, but some parts of the site
will not then work. These cookies do not store any personally identifiable
information.
* PERFORMANCE COOKIES
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If
you do not allow these cookies we will not know when you have visited our
site, and will not be able to monitor its performance.
* FUNCTIONAL COOKIES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies
then some or all of these services may not function properly.
* TARGETING COOKIES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They
may be used by those companies to build a profile of your interests and show
you relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
33ACROSS
33ACROSS
View Third Party Cookies
* Name
cookie name
* REPLACE-WITH-DYANMIC-VENDOR-ID
33ACROSS
3 Purposes
View Privacy Notice
33ACROSS
3 Purposes
View Privacy Notice
REPLACE-WITH-DYANMIC-VENDOR-ID
Consent Purposes
Location Based Ads
Consent Allowed
Legitimate Interest Purposes
Personalize
Require Opt-Out
Special Purposes
Location Based Ads
Features
Location Based Ads
Special Features
Location Based Ads
Clear Filters
Information storage and access
Apply
Confirm My Choices Allow All
By using the website, you agree to our use of cookies to ensure you get the best
experience on our website.
Cookies Settings Accept All Cookies
undefined