On 22nd March 2022 08:43 UTC, we became aware of the issue affecting Okta, a third-party identity provider that Percona uses for https://id.percona.com. Initially, there was no statement from Okta, so our Security Operations team reviewed the information available from LAPSUS$ and other public sources.
Based on the public information available about the issue, we evaluated the potential exposure to Percona and determined that the impact was minimal. Percona uses Okta integrations so https://id.percona.com can be used to authenticate against Percona’s deployments of:
portal.percona.com (Dashboard portal interface where users & clients can add their PMM integration).
Integrations of PMM with Percona’s portal does not at this time allow for management from the portal.percona.com interface (read: No commands may be issued to the PMM server).
At the time of writing, Percona is aware that the level of compromise allowed LAPSUS$ access to force a reset of both password and MFA Secrets for individual users. Information released by Okta noted that passwords were not discoverable and stated that only 2.5% of Okta’s customers had been affected.
On 2022-03-24 20:04 GMT/UTC Percona received notice of no impact from Okta.
Whilst the notice states that Percona was not impacted, we strongly urge users of https://id.percona.com to follow best practices by ensuring they update their password with a wholly unique password that is not shared with other platforms, is sufficient complexity and length, and deploy 2FA/MFA where ever possible to do so.
Even though the impact on Percona is minimal, we are taken actions to further strengthen the Percona services and projects that use Okta for identity management services. The Security Operations team will continue to monitor public information and Okta’s response as it becomes available. We will further assess additional security actions that need to be taken and the alternative identity management providers, if necessary.
Percona’s clients’ and users’ security, is at the core of our Security Operations team’s values and will continue to remain our core focus. This means we will always strive to ensure that our chosen third-party vendors introduce minimal viable risk. However, when service providers create a risk to our customers, and the response from the service provider is not provided in a timely manner, we strive to ensure we are exploring all aspects of information being made available to arrive at our own conclusions and strengthen our security posture.
If you should have any concerns or questions related to this or other security-related queries at Percona please review https://www.percona.com/security for your channels for enquiry.
Information Security Architect Percona
Okta’s updates links:
Tibor Korocz (Percona)- for raising the issue early and getting this to the top of my backlog.
John Lionis (Percona) – for assisting with the review, deep dive, and evidence collection for this issue.