Home / Threat Intelligence bulletins / Okta investigating a reported data breach


On Tuesday the Lapsus$ extortion gang published details of what they claim is a breach of identity provider Okta. The company downplayed the risk and says an attempted compromise was contained in January with no evidence of ongoing malicious activity. A later update admitted that a “small percentage of customers” (2.5%) have been impacted


A successful compromise of an identity provider could lead to malicious actors being able to log in to customer networks.
It’s not clear from their statements whether that has happened in this case.

Vulnerability Detection

Okta are identifying and contacting customers who may have been impacted.

Containment, Mitigations & Remediations

Okta maintain that no corrective actions need to be taken.

Indicators of Compromise

None given.

Threat Landscape

Lapsus$ have hit a number of high-profile targets in recent months. A breach of their identity provider could be a possible explanation but it’s still not clear, based on public information whether this was the point of entry in those incidents.

Mitre Methodologies

T1195.002 – Compromise Software Supply Chain
T1199 – Trusted Relationship

Further Information

Okta Official Statement on LAPSUS$ Claims
Updated Okta Statement on LAPSUS$