Lapsus$ Breaches Reveal that Even Cybersecurity Organizations Don’t Follow Best Practices

Simar Kohli
March 30, 2022

If you’ve kept up with cybersecurity news over the past month you’ve likely heard all about Lapsus$ breaching Okta and Microsoft. Although security incidents are nothing new, these breaches are particularly concerning since they impacted major tech companies that invest billions into protecting their systems and clients. Here’s what you need to know about the Lapsus$ breaches and their impacts on cybersecurity.

Every organization is vulnerable to social engineering attacks

According to Verizon’s Data Breach Investigation Report, social engineering tactics are involved in 93% of corporate data breaches. Both the Okta and Microsoft breaches involved members of Lapsus$ breaking into systems using stolen employee credentials. They would gain access to the personal accounts of employees use them to perform password resets on work accounts. Lap$us members even called Microsoft help desk employees to convince them to reset a target account's credentials. Even though companies like Okta and Microsoft have strong technical cybersecurity configurations, almost any organization can be infiltrated through social engineering. This illustrates how focusing on the human element of cybersecurity should be a priority for all companies.

Multifactor Authentication is only as secure as the person who uses it

One of the reasons the Lapsus$ breaches are so concerning is that the hackers were able to bypass MFA quite easily using psychological techniques. If utilized correctly MFA can reduce unauthorized access to an account by 99.9%, but MFA is useless if employees approve unauthorized login requests with their second form of authentication.

Lapsus$ used a technique called MFA bombing to get people to grant them permission to access confidential information. MFA bombing is a process that relies on user security fatigue. Hackers will send repeated login requests to an employee's secondary form of authentication until the employee breaks down and approves the request. Members of Lapsus$ would often spam employees with authentication requests in the middle of the night so that people would approve them to stop receiving notifications. Many individuals also do not pay attention to login requests from authentication apps or SMS and will approve them without a second thought. MFA is thought to be one of the strongest forms of protection against a breach, but it is extremely vulnerable to tricks that capitalize on user fatigue.

SMS is becoming an extremely weak form of authentication

Although using SMS as a second form of authentication is better than not having any MFA/2FA, the proliferation of SIM swap attacks makes SMS less effective than in the past. SIM swapping (also known as SIM hijacking) is a process where hackers will take control of a phone number. Upon gaining control of a particular number the hackers can then authenticate any logins that require SMS verification as a secondary layer of protection. Many SIM swap attacks are carried out through social engineering tactics where a hacker will pretend to be the person whose information they want to steal. They will then convince the victim's phone company that they are changing phones and their SIM card needs to be swapped. 

Lapsus$ frequently took advantage of SIM hijacking to bypass 2FA on the accounts that they stole credentials from. Lapsus$ would gain access to phone numbers by offering telecom employees bribes to move SIM information to another device. Leaked telegram screenshots revealed that Lapsus$ offered AT&T, Verizon, and T-Mobile employees up to $20,000 a week to SIM swap customers. The risk employees at a phone company looking to make extra money performing SIM swaps means that SMS is no longer the secure form of authentication it once was.

Screenshots of a Lapsus$ member offering phone company employees bribes

What you can do to protect yourself and your business

The most important thing you can do to secure your organization is to prevent social engineering attacks. Security tools are useless if hackers can bypass the human element of cybersecurity to gain entry into secure systems. One of the best ways to prevent social engineering or phishing attacks is by training your employees to follow best cybersecurity practices at all times. Research shows that properly training employees can reduce the likelihood of a breach by over 80%! We’ve written our own security awareness training at Haekka and made it free for anyone! Check it out here.

One specific technique people can use to strengthen their online security is using an authenticator app like Google Authenticator, Authy, or Duo instead of SMS. However, MFA bombing is still potentially an issue with these apps. You can prevent MFA bombing in two ways. The first is maintaining skepticism and vigilance by only approving login requests you are certain you submitted. This goes hand in hand with security awareness training. The second method is to use codes generated within an app to allow logins instead of notification-based permissions. Authentication apps typically cycle codes every 30 seconds and it is significantly more difficult for a hacker to steal these codes versus getting someone to click a notification.

Sample image of code based authentication

The news of tech giants like Microsoft and Okta being breached is certainly worrisome, but we can learn from these incidents. Even cybersecurity companies fail to properly follow best practices. Many employees feel for social engineering scams and security fatigue led to people granting hackers access to company systems. The fact that Sitel (Okta subcontractor) had an internal file called “DomAdmins-LastPass.xlsx.” containing login information for every domain administrator shows that even IT departments don’t follow basic password guidelines. To stop making easily avoidable mistakes such as storing important login information in plaintext (sorry Okta) schedule a demo of Haekka with one of our founders today.