How Lapsus$ Breached Okta and What Organizations Should Learn

What Is Okta?

Why Is Okta In the News?

How Was the Attack Executed?

  • On March 22, 2022, a hacking group identifying itself as Lapsus$ posted some screenshots in its Telegram channel claiming to have compromised Okta’s internal systems. The screenshots included Okta’s Slack channels, super admin dashboard (access to reset passwords and MFA of their business customer’s employees — the customer in the screenshot was Cloudflare), and JIRA board.
  • Okta’s CSO responded through a blog post stating that the incident that Lapsus$ refers to had happened in January 2021 when it detected an attempt by hackers to compromise the account of a customer support engineer working for a third-party service provider.
  • Okta alerted the service provider, suspended the engineer’s account, and terminated the user’s active Okta sessions. Besides, the company shared pertinent information with a third-party forensics firm for investigation.
  • The investigation reported that hackers accessed the engineer’s laptop for five days in January 2022.
  • However, Lapsus$ claims that it had gained admin access to Okta’s systems for two months, and it found Okta storing AWS keys in Slack channels. Furthermore, the hacker group claimed that it used its access to focus on Okta’s customers.

Who Is Behind Okta’s Breach?

The Key Reasons That Caused The Security Breach

Okta Breach: What Was the Impact?

What to Learn From Okta’s Cyber Hack?

1) Limit Access on a ‘Need-to-Know’ Basis

2) Validate Third-party Apps and SaaS Solutions

3) Implement Robust IAM-PAM Solutions

4) Train Employees and Customers

5) Be Vigilant

6) Audit and Review Regularly

7) Communicate Transparently

To Conclude



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store