Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

Lapsus$ Found a Spreadsheet of Passwords as They Breached Okta, Documents Show (techcrunch.com) 39

The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported. The report adds: [...] The documents provide the most detailed account to date of the Sitel compromise, which allowed the hackers to later gain access to Okta's network. [...] The documents, obtained by independent security researcher Bill Demirkapi and shared with TechCrunch, include a Sitel customer communication sent on January 25 -- more than a week after hackers first compromised its network -- and a detailed timeline of the Sitel intrusion compiled by incident response firm Mandiant dated March 17 that was shared with Okta.

According to the documents, Sitel said it discovered the security incident in its VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021. The timeline details how the attackers used remote access services and publicly accessible hacking tools to compromise and navigate through Sitel's network, gaining deeper visibility to the network over the five days that Lapsus$ had access. Sitel said that its Azure cloud infrastructure was also compromised by hackers. According to the timeline, the hackers accessed a spreadsheet on Sitel's internal network early on January 21 called "DomAdmins-LastPass.xlsx." The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee's LastPass password manager.

This discussion has been archived. No new comments can be posted.

Lapsus$ Found a Spreadsheet of Passwords as They Breached Okta, Documents Show

Comments Filter:
  • To be found in lots and lots of places. It starts getting funky when these get mailed arpund.

    • Okta sells their product partly based on the promise of keeping people from doing that. So egg on their face.

      On the other hand, it's an example of the damage that can be done when you don't have proper secrets management. If that unit had been using all the Okta products, this probably wouldn't have happened.

      My company makes a lot of acquisitions, so I can understand how a file could exist from before the acquisition. You don't always have time to sanitize everything in the new company before connecting th

      • You don't always have time to sanitize everything in the new company before connecting them to the network.

        If your core business is security, you should not be doing that.

        • by gweihir ( 88907 )

          You don't always have time to sanitize everything in the new company before connecting them to the network.

          If your core business is security, you should not be doing that.

          Indeed. Things should be prioritized differently and resources to do things securely should be found. Otherwise everything that company does in the security-space becomes suspect.

      • Okta doesn't sell PAM, and which this breached company (Sykes) clearly wasn't using. Whether that was according to the contract between Okta and Sykes remains to be seen. In the end, Okta remains responsible for contracting out support to this company...
    • I was expecting a security company to at least use KeePass, just because it has some guaranteed protection, at the minimum, just to ensure that if the file falls into the wrong hands, it might take some brute forcing to get it open.

      • I was expecting a security company to at least use KeePass, just because it has some guaranteed protection, at the minimum, just to ensure that if the file falls into the wrong hands, it might take some brute forcing to get it open.

        It doesn't matter whether you're using KeePass or LastPass if some fuckwit exports the database into a non-encrypted format. Even KeePassX, (at least my version), contains an "Export to CSV" function.

        At some point you're depending on the sense, or lack thereof, of the people who work for you. That will always be the most frequent point of failure.

        • by gweihir ( 88907 )

          It doesn't matter whether you're using KeePass or LastPass if some fuckwit exports the database into a non-encrypted format. Even KeePassX, (at least my version), contains an "Export to CSV" function.

          At some point you're depending on the sense, or lack thereof, of the people who work for you. That will always be the most frequent point of failure.

          Exactly. And if you see that this sense is lacking at a company that styles itself as a "security" company, you stay the hell away from them and their products. Because it very likely is a company-wide problem and the ones ultimately responsible are the C-levels.

  • an ".xlsx" file? So Microsoft environment! Again! If you walk on the tracks less, your chances of getting hit by a train are decreased.
    • Because if it was a CSV it'd be more secure?

      • woosh...

  • by v1 ( 525388 )

    the spreadsheet contained passwords for domain administrator accounts

    somebody is very fired.

    • Doesn't that break a lot of compliance rules? I know that with PCI-DSS, FERPA, HIPAA, and other regs, that passwords are meant to at least be stored in a PAM or other authenticated system for access? If that is the case, if this breach causes breaches in subsequent companies, the compliance enforcement orgs might just have a word or two there.

      • by Bert64 ( 520050 )

        Well they already compromised credentials, which they used to access the file containing more passwords, so it seems the "other authenticated system for access" bit was already being complied with.

        A lot of these security standards require access controls to be in place, but don't necessarily require them to be provably robust.

        Many places have a centralised store of credentials, which is then protected by another set of potentially much weaker credentials. Usually Active Directory is the basket that all your

      • by v1 ( 525388 )

        Best practice for password lists is to use different passwords for everything and to make them strong, which pretty much requires a password manager or keeping a list. They WERE in lastpass or somerthing but someone did an export, which itself isn't a bad idea. Having them encrypted in lastpass and not having a backup somewhere else could be a nightmare if that's lost. But that export should have been printed out and placed in a safe or some other physically secure location, or placed in some other encry

        • MY password list is in an encrypted disk image, along with other secure things like ssh private keys and certificate keys.

          Is this more secure than using something such as KeePassX? If it is I may add it to my security practices via VeraCrypt.

          • by v1 ( 525388 )

            You can select what security you want to use with the disk image, I don't know what your options are with KeePass. It's also trivial to store anything inside a DMG, and I assume that KeePass has limitations on what it can store

            When the DMG is mounted, it's basically transparent to any application, such as Excel, that might seek to use it. Excel creates a temp file while you edit a document, (as do many other editors) and if you're pulling a document out of encryption, editing it, copying back to encrypted

            • Thanks for the info! I mostly store passwords, but your point about temp files is a good one and I'll keep it in mind if I'm working with documents that contain sensitive information.

              • You can just store the KeePass DB in the DMG file, which gives the best of all worlds. I keep my keyfiles on a read-only encrypted volume that is mounted only when opening KeePassXC, but the actual KeePass DB sits on a volume that is often backed up, just to ensure that I can recover it.

            • Depends on the password manager. KeePass is 100% open and supports AES-256, which is good enough. Other PW managers, you may not know what it is doing.

              An encrypted disk image, be it MacOS's DMG or sparse bundles, Windows's .VHDX + BitLocker, Linux LUKS, or VeraCrypt is definitely secure, but it isn't really a password manager, but more of a place to throw secure documents. Nothing wrong with encrypted disk images.

              I use KeePass because it allows me to have all the passwords in one place. If I need to sto

              • by v1 ( 525388 )

                I can address some of that.

                (1) is a valid concern, if the attacker has access while the image is mounted, they have complete access to the contents. It's a trade-off for convenience. Also, unlike the osx keychain, there is no restriction as to what processes on the computer have access to the data in a mounted disk image. A well-designed bit of malware could watch /Volumes for encrypted disk images to appear and make quiet copies of everything on them automatically on sight. Though this is also a risk f

  • I have the "Ads Disabled" box checked, have uBlock Origin installed, but have started seeing these ads appear in the lower right corner of Firefox, only on Slashdot.
  • Comment removed based on user account deletion
    • Mod Up! I have no points. The root cause is Agile projects. No documentation, go fast, onboard people fast (give every one admin, with a trove of plaintext accounts). You can almost bet backups will not be up to scratch. There must be a sacrificial scrape goat, person who has to be fired out of this. Maybe directors found to be unfit and kicked off the board. The insurance company denies all claims, citing terms, and loose cannon / Cowboy practices, with zero oversight. Whoever audited their financial accou
      • Comment removed based on user account deletion
        • Yeah Money- its fair enough. But so is I want that platform stood up by the end of next week, or they are canned attitude. Code for Agile, production testing, no doco. Security - give me a break. As for IT I left the game, having to learn a language and toolkit every year - at my own cost and unpaid time, and beaten at interviews by better liars with dodgee referees. Money was OK, but the lack of respect and boot licking expectations was too much. I made more on property flipping. The other business term I
    • I went to the website of the subsidiary where the breach occurred (Sykes) and did some poking around, trying to get a vibe for what this company was about.

      Firstly, yes, it's a Wordpress web site. Complete with unremoved Sample posts [sykes.com] in rotation through their annoying scrolly things on every page.

      When I saw a post about collecting/securing data for personalized recommendations, I felt that would be the most relevant one to click on. So, how are they pitching that to their customers? They say how in the past,

  • One assumes an Insurance Company for ICT breaches was active. After the extreme act of incompetence and board negligence, one assumes the insurance company says no payout as you clearly breached our terms (do not write passwords down) . Can we know the name of their insurance company?
  • Key takeaway: Humans are incompetent at security and their ability to cause major fuckups increases with the amount of money at stake. SNAFU means it is impossible to depend on a security provider based only on humans. They will get social networked, fired and replaced by bean counters, forget to use post-it notes instead of Excel files for passwords ;), etc. They can have every ISO process and still be fuckups. Perhaps this could be solved with an AI / robot that just looks for clues to fuckupery on their

  • Seriously? This may be the worst IT dumbfuckery I've heard of in a long time. Well that and setting it all to "PASSWORD"

  • Bob was good at security, he was over worked and managed way to many systems and was likely irreplaceable. He had all his passwords safely encrypted in keepass. Bob gave 2 weeks notice that he was quitting and instead of using that 2 weeks to train a replacement management had Bob working round the clock as usual putting out fires. On the last day Bob gave his encrypted keepass database to Frank, someone who had no knowledge of keepass. The next week 5 different people needed the passwords and Frank cop
  • From the actual article:

    "The timeline details how the attackers used remote access services and publicly accessible hacking tools to compromise and navigate through Sitel’s network, gaining deeper visibility to the network over the five days that Lapsus$ had access. Sitel said that its Azure cloud infrastructure was also compromised by hackers.

    According to the timeline, the hackers accessed a spreadsheet on Sitel’s internal network early on January 21 called “DomAdmins-LastPass.xlsx.

Genius is ten percent inspiration and fifty percent capital gains.

Working...