On January 16, 2022, a threat actor gained remote access via RDP to a laptop belonging to a customer support engineer working for Sitel, a third-party sub-processor for Okta. This access continued until January 21, 2022. Okta Security was alerted on January 20, 2022, about suspicious activity on a Sitel employee’s Okta account, leading to an immediate investigation and escalation.

Upon detecting the suspicious activity, Okta Security reset the affected Sitel employee’s account, terminated their Okta sessions, and suspended the account on January 21, 2022. Okta also shared indicators of compromise with Sitel, who then engaged a forensic firm to investigate the incident.

The root cause was the compromise of a Sitel-owned and managed laptop, allowing the attacker to control the machine through an RDP session. While the attacker never gained direct access to the Okta service via account takeover, they were able to obtain screenshots and operate the compromised machine. The support engineer’s access was limited to basic duties using internal tools like “SuperUser,” designed with least privilege principles.

Okta’s investigation determined that the maximum potential impact involved 366 customers, representing approximately 2.5% of their customer base, whose Okta tenants were accessed by Sitel support engineers during the five-day compromise window. The attacker’s actions were constrained by the limited privileges of the support engineer’s account, preventing actions like creating/deleting users, downloading customer databases, or accessing source code.

Okta analyzed over 125,000 log entries to scope the blast radius and will provide affected customers with reports detailing actions performed on their Okta tenants by Sitel during the incident period. This transparency aims to allow customers to conduct their own analysis and assess the situation. Okta also acknowledged opportunities for process and communication improvements.