Microsoft is one of the largest, oldest technology companies globally, having been an integral part of the computer revolution that started in the 1980s. Okta is a large, successful software company specializing in identity control and user authentication for other companies (known as IAM security software). Despite those impressive pedigrees, both companies have been successfully hacked by an up-and-coming criminal group known as “Lapsus$.” But how did it happen and was multifactor authentication used?
Who Is Lapsus$?
Lapsus$ is a cybercrime group that originally started in Brazil. As with other hacker groups, the online nature of cybercrime means that membership is not strictly limited to the country of origin. They are a recent arrival on the digital crime scene, having begun operations only in December of 2021.
However, they have already been confirmed to have successfully infiltrated the likes of Korean electronics giant Samsun, graphics card manufacturer Nvidia, and even the game developer and publisher Ubisoft. They specialize in going after corporate targets, stealing confidential data, and releasing it unless a ransom is paid.
What Happened To Okta?
Okta immediately informed the affected clients while publicly stating only 2.5% of their total clientele was impacted by the intrusion. After conducting an investigation, they concluded that a support engineer had left a laptop vulnerable for five days, and the laptop was likely hacked during this period.
In this case, it wasn’t a situation where Okta’s internal security failed, so much as negligent security measures by an individual engineer resulted in an account-takeover and access to the compromised system.
What Happened To Microsoft
Microsoft had over 40 GB of data stolen and publicly disclosed online, including source code for software like Cortana and Bing. When Microsoft conducted their investigation, they discovered that a single account was responsible for the data theft, but the account had not been hacked, as proper authentication had granted access.
In this case, the account was compromised by “social engineering,” where hackers deceive a user into voluntarily giving up account details, usually by either posing as an official or installing malware on a USB key that a user thinks contains other types of data so that when it is installed on a system, it seizes control.
Key-based Multifactor Authentication Makes A Difference
This is why the discipline to implement and use key-based multifactor authentication is so crucial. Stealing a password for a specific device or online account is easy. With this type of multifactor authentication involving key-pairs, additional gates and checks are added so that a password is not enough to grant account access. However, multifactor authentication only works when people have the discipline to follow it and the resilience to take on the extra work of using a second authentication factor – such as SMS-OTP or emailed codes.
If you’re interested in using the FIDO protocol and moving to a key-based passwordless authentication system, that provides the maximum security to prevent phishing and other ways of executing account takeovers read here to learn more.