Microsoft is one of the largest, oldest technology companies globally, having been an integral part of the computer revolution that started in the 1980s. Okta is a large, successful software company specializing in identity control and user authentication for other companies (known as IAM security software). Despite those impressive pedigrees, both companies have been successfully hacked by an up-and-coming criminal group known as “Lapsus$.” But how did it happen and was multifactor authentication used?

Who Is Lapsus$?

Lapsus$ is a cybercrime group that originally started in Brazil. As with other hacker groups, the online nature of cybercrime means that membership is not strictly limited to the country of origin. They are a recent arrival on the digital crime scene, having begun operations only in December of 2021.

However, they have already been confirmed to have successfully infiltrated the likes of Korean electronics giant Samsun, graphics card manufacturer Nvidia, and even the game developer and publisher Ubisoft. They specialize in going after corporate targets, stealing confidential data, and releasing it unless a ransom is paid.

What Happened To Okta?

Okta immediately informed the affected clients while publicly stating only 2.5% of their total clientele was impacted by the intrusion. After conducting an investigation, they concluded that a support engineer had left a laptop vulnerable for five days, and the laptop was likely hacked during this period.

In this case, it wasn’t a situation where Okta’s internal security failed, so much as negligent security measures by an individual engineer resulted in an account-takeover and access to the compromised system.

What Happened To Microsoft

Microsoft had over 40 GB of data stolen and publicly disclosed online, including source code for software like Cortana and Bing. When Microsoft conducted their investigation, they discovered that a single account was responsible for the data theft, but the account had not been hacked, as proper authentication had granted access.

In this case, the account was compromised by “social engineering,” where hackers deceive a user into voluntarily giving up account details, usually by either posing as an official or installing malware on a USB key that a user thinks contains other types of data so that when it is installed on a system, it seizes control. 

Key-based Multifactor Authentication Makes A Difference

This is why the discipline to implement and use key-based multifactor authentication is so crucial. Stealing a password for a specific device or online account is easy. With this type of multifactor authentication involving key-pairs, additional gates and checks are added so that a password is not enough to grant account access. However, multifactor authentication only works when people have the discipline to follow it and the resilience to take on the extra work of using a second authentication factor – such as SMS-OTP or emailed codes.

If you’re interested in using the FIDO protocol and moving to a key-based passwordless authentication system, that provides the maximum security to prevent phishing and other ways of executing account takeovers read here to learn more.

Large technology companies amass huge amounts of personal data from their users. Because of this, they work hard to assure both customers and shareholders that the data is safe and can’t be easily stolen through the more conventional methods of hacking and intrusion. For two of the largest tech companies globally, Apple and Meta—the parent company of Facebook—this is certainly the case. However, even the largest corporations can sometimes fall for well-implemented deceptions, and that’s exactly what happened in a case of bold social engineering.

The Human Factor

Social engineering refers to attacking the weakest link in most security chains, human error. Social engineering tricks a victim into voluntarily performing an action that would compromise an otherwise secure system by gaining trust, exploiting greed, provoking fear, or other psychological manipulation tactics.

In the case of both Apple and Meta, the social engineering tactic here was for hackers to impersonate law enforcement officers and send emergency data requests. This legitimate legal request overrides the requirements of presenting a subpoena, warrant, or other court-approved documents before needing to comply. The Apple and Meta employees faced with these bogus emergency data requests complied and handed over IP addresses, mailing addresses, and phone numbers.

The Ongoing Challenge

While embarrassing, especially for companies that typically use up-to-date security measures such as biometrics and other forms of cyber security, neither Apple nor Meta have disclosed the full amount of data given to the hackers. But it is a testament to the ambition of criminals that regardless of the cyber security measures taken, some criminals refuse to give up and resort to the most extreme measures to get the data they want.

Biometrics, USB encryption, decryption keys, and other passwordless authentication methods are all incredibly efficient forms of cyber security. However, they are forms of personal protection, giving individuals the security they need to restrict access to their data. There is no accounting for what happens when a social engineering scheme works at the very “top” of the pyramid, with the data technology companies themselves, who can override any security and provide data on request if they are presented with legitimate, verifiable legal requests, or fall prey to believing a request is legitimate without securing more verification from the parties making the request.

Apple’s Change

Apple joined the FIDO Alliance in the Fall of 2020 a new global standard in the world of passwordless authentication. Apple has now authored a multi-device FIDO standard known as “Passkey” which allows a user to use a FIDO private key to access their Apple accounts. If a device is lost or replaced, the FIDO private key can be recovered from another Apple device owned by the user. With Apple joining the other 340 FIDO Alliance members, the global establishment of the FIDO alliance is considered complete.

It’s crucial, however, for every company to take its own cyber security seriously. Your data on your systems and networks need to be protected. If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.