The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before they were able to access the internal systems of Okta, according to documents that have not yet been reported.

The Lapsus$ hacking group published a video showing it had accessed Okta's internal apps and systems some two months before customers learned of the security breach. About 2.5% of Okta's customers are affected by the compromise, which was admitted in a post on the company's website.

The most detailed account to date of the Sitel compromise, which allowed the hackers to later gain access to Okta's network, is contained in the documents.

Okta is used by thousands of organizations and governments worldwide as a single sign-on provider, allowing employees to securely access a company's internal systems, such as email accounts, applications, databases and more.

The documents, obtained by Bill, include a customer communication sent on January 25th, more than a week after hackers first compromised its network, and a detailed timeline of the incident.

According to the documents, Sitel discovered a security incident in its gateways on a legacy network that it acquired in 2021. Virtual private networks can be used to access a company's network.

The attackers used remote access services and publicly accessible hacking tools to compromise and navigate through the network over a five day period. According to Sitel, its cloud infrastructure was also compromised by hackers.

The hackers accessed a spreadsheet on the internal network of Sitel early on January 21.

The hackers created a new user account and added it to a user group that had broad access to the organization. The Lapsus$ hackers were compromising Okta's network at the same time.

The hackers last accessed the network on January 21 at 2 p.m. Around 14 hours after accessing the spreadsheet of passwords. The company issued a password reset to try to keep attackers out.

Okta received a Mandiant report on March 17 and did not warn customers sooner. Okta chief security officer David Bradbury said the company should have moved more swiftly to understand its implications.

When contacted before publication, Okta was unable to comment. Mandiant and Sitel did not dispute the contents of the reports.

The Lapsus$ hacking and extortion group has recently targeted several big-name companies. The Lapsus$ group first emerged on the hacking scene in December, after they stole 50 terabytes of data from Brazil's Ministry of Health. Since then, the gang has targeted several Portuguese-language companies, as well as Big Tech giants, such as Microsoft and Okta, tout its access and stolen data to the tens of thousands of subscribers of its Telegram channel, while often making unusual demands in exchange for not.

Police in the U.K. arrested seven people last week for their involvement in the incidents.

If you know more about the incident at Okta or Sitel, you can contact the security desk on Signal by email.