Get in Touch
Okta investigating a reported data breach
On Tuesday the Lapsus$ extortion gang published details of what they claim is a breach of identity provider Okta. The company downplayed the risk and says an attempted compromise was contained in January with no evidence of ongoing malicious activity. A later update admitted that a “small percentage of customers” (2.5%) have been impacted
A successful compromise of an identity provider could lead to malicious actors being able to log in to customer networks.
It’s not clear from their statements whether that has happened in this case.
Okta are identifying and contacting customers who may have been impacted.
Containment, Mitigations & Remediations
Okta maintain that no corrective actions need to be taken.
Indicators of Compromise
Lapsus$ have hit a number of high-profile targets in recent months. A breach of their identity provider could be a possible explanation but it’s still not clear, based on public information whether this was the point of entry in those incidents.
T1195.002 – Compromise Software Supply Chain
T1199 – Trusted Relationship
Okta Official Statement on LAPSUS$ Claims
Updated Okta Statement on LAPSUS$