Identity and access management company Okta is investigating a possible data breach after ransomware group Lapsus$ claimed responsibility for the incident. 

Lapsus$ — a hacking group that claims to be behind several cyberattacks affecting Nvidia, Samsung, Microsoft and Ubisoft — claims it did not steal any databases from Okta and that its only focus was on Okta customers. In a recent filing, Okta said it had more than 15,000 customers around the world, including Grubhub, FedEx, Peloton, jetBlue, T-Mobile, McKesson, Fidelity, Major League Basketball, and more. 

In addition, Lapsus$ published screenshots claiming to have had access to an Okta internal administrative account and the firm’s Slack channel for two months. 

Todd McKinnon, Okta CEO, said the firm believes those screenshots are related to a security incident that occurred in early January that was contained. “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors,” McKinnon tweeted. “The matter was investigated and contained by the subprocessor.”

In a statement sent to The Verge, Chris Hollis, Okta spokesperson, said Okta has not found evidence of an ongoing cyberattack or data breach. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January,” Hollis said. 

Okta customers must be on high alert right now, security experts say. Besides checking administrative events and logs, security teams should immediately verify that “Give access to Okta support” is disabled and “Give Directory Debugger Access to Okta Support” is also disabled on the Settings->Account page, says SecurityScorecard’s Chief Information Security Officer (CISO) Mike Wilkes. “Organizations should also check if any API tokens have been created that cannot be accounted for, with change control tickets/requests for those tokens to be created,” Wilkes adds.