Teens Arrested in Hack of Microsoft and Okta But Haven’t Been Charged

Teens Arrested in Hack of Microsoft and Okta But Haven’t Been Charged

Police in London have arrested seven young people between the ages of 16 and 21 for allegedly hacking Microsoft and Okta under the hacker group name LAPSUS$. All seven people have been released and none have been formally charged with a crime. At least not yet.

“The City of London Police has been conducting an investigation with its partners into members of a hacking group,” Detective Inspector Michael O’Sullivan of the City of London Police told Gizmodo in an emailed statement early Friday.

“Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing,” O’Sullivan continued.

The LAPSUS$ hacking group recently took credit for hacking Microsoft, posting source code to Cortana and Bing. And earlier this week the same group boasted on its Telegram channel that it had infiltrated Okta, a claim that was partially true but wildly inflated.

In reality, a subcontractor for Okta had been hacked in January, giving the LAPSUS$ hackers temporary access to some sensitive portals in the authentication company.

From Okta’s post mortem explanation of the hack:

The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.

If the LAPSUS$ hacking group really does turn out to be the work of some teens it would confirm suspicions that whoever was infiltrating these companies was inexperienced and amateur. For one thing, ransomware hackers typically encrypt large amounts of sensitive data, demanding payment before unlocking the data for the company. In the case of LAPSUS$, the hackers have dealt in a more direct route of extortion, stealing data but not depriving the company of it through encryption. The LAPSUS$ hackers then would demand money or they would leak the data publicly.

Did the London Police nab the right hackers? Only time will tell. And right now we don’t have a lot of information about who they’ve actually grabbed off the street.