An internal memo indicates that Okta’s source code has been stolen by one or more unauthorized users. The organization claims the breach does not affect customers.
BleepingComputer obtained the internal memo from an anonymous source. Okta CSO David Bradbury writes that one or more unauthorized users copied source code stored in GitHub repositories in early December.
Okta develops security products for authentication, including single sign-on and 2FA. The memo does not specify which source code was stolen, but Bradbury suggests multiple products are involved. Keeping source code private is key to application security. Access can help cybercriminals develop exploits.
The source code of some applications includes passwords and personal data. Okta says it has “taken steps” to prevent the breached source code from providing access to customer information. According to Bradbury, internal investigations revealed that no access was gained to services and client data.
In the memo’s conclusion, Okta promises to publish a blog about the incident today. At the time of writing, the company’s press page does not show such a post, though that’s likely to change in the next few hours. BleepingComputer reached out for a comment, but received no immediate response.
Okta stores source code in GitHub repositories. GitHub uses monitoring technology to notify users of suspicious access to repositories. Okta was alerted by GitHub in early December. Further investigation confirmed that source code had been copied.
Okta’s initial response was to block all GitHub integrations with third-party apps and restrict user access to GitHub repositories. This suggests that the data breach was caused by either a third-party app or an internal user. The cause has not been confirmed by Okta at the time of writing.
The organization has had a difficult year. Subsidiary Auth0 disclosed a similar incident in September. Moreover, crime group Lapsus$ claimed to have access to Okta’s internal applications and customer data in March.
It was later found out that the security company had known about the intrusion since January. Okta had swept the incident under the rug until Lapsus$ went public.
“I want to be really clear that we’re responsible”, CEO Todd McKinnon later said in an apology. “No third party this or third party that. It’s our responsibility to make sure this stuff doesn’t happen. “We are a trusted brand and that trust has been damaged.”