Cyber Incident Victim: Okta

In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer employed by a third-party provider. The company responded by alerting the provider, terminating the engineer's active Okta sessions, and suspending the individual’s account. Okta also shared suspicious IP addresses and other pertinent information to support the provider’s investigation, which involved a third-party forensics firm. A forensics report received in March 2022 revealed that an attacker had accessed the support engineer’s laptop during a five-day window from January 16 to January 21, 2022. This access period aligned with screenshots later published by the LAPSUS$ group, which Okta became aware of in March. The Okta service itself was not breached and remained fully operational throughout the incident, with no requirement for customers to take corrective actions.

The investigation determined that support engineers had limited access to customer data, restricted to viewing Jira tickets and user lists, as evidenced in the leaked screenshots. Support engineers could facilitate password resets and multi-factor authentication resets but could not obtain passwords or perform higher-risk actions like creating/deleting users or downloading customer databases. Approximately 2.5% of Okta’s customers were potentially impacted, with their data possibly viewed or acted upon during the incident. Okta identified these customers and contacted them directly via email. Auth0 customers and those under HIPAA or FedRAMP compliance frameworks were unaffected. Okta hosted live webinars on March 23, 2022, to provide technical updates and reaffirmed its commitment to transparency while apologizing for the inconvenience caused. The company emphasized that no operational breach occurred and maintained its focus on securing customer information.