“We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers,” Okta said in a statement Tuesday.
Okta’s federal customers include the Federal Communications Commission, the Centers for Medicare and Medicaid Services and the Department for Veterans Affairs. The company’s services are certified for federal use under the FedRAMP program, which covers cloud-based products. Okta also has thousands of private sector customers.
“The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers,” the company added.
The statement came after Okta on Tuesday morning acknowledged it had investigated a potential breach in January. The incident came to light in screenshots posted online Monday night by hacking group Lapsus$. Details were first reported by Reuters.
According to the company, in January it detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. An investigation by a forensics firm commissioned by Okta subsequently identified a five-day window between Jan. 16 and Jan. 21 when an attacker had access to a support engineer’s laptop.
In February, the company won a contract for IT services with the Department of Veterans Affairs, which was awarded through NASA’s Solutions for Enterprise-Wide Procurement vehicle.
In May 2021, the company also received provisional authority to operate from the Defense Information Systems Agency within Impact Level 4 networks — the Pentagon’s designation for controlled unclassified information.
A CISA spokesperson referred a request for comment to Okta.