Cyber company Okta is latest potential victim cited by Lapsus$ hackers

The financially motivated group of malicious hackers posted screenshots that Okta said could be related to "activity" detected in January.
Okta logo

Identity authentication company Okta, which provides services to thousands of companies as well as U.S. government agencies, acknowledged Tuesday morning that it had investigated an incident in January that was related to screenshots posted online Monday night by a hacking group.

“In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors,” company Okta CEO Todd McKinnon tweeted. “The matter was investigated and contained by the subprocessor.”

The tweet was in response to the latest posts by the cybercrime group Lapsus$ on its Telegram channel.

“We believe the screenshots shared online are connected to this January event,” McKinnon said. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”


Okta followed up with a statement later Tuesday by Chief Security Officer David Bradbury saying that the company’s core service “has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.” 

Bradbury said there was a “five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop” — information that was “consistent with the screenshots that we became aware of yesterday.”

After the news broke late Monday, experts expressed concerns that any spillover from such an incident could have implications for the cybersecurity of Okta customers, who use the company’s single sign-on (SSO) services — including password managers — to control access to their networks and applications.

Lapsus$, in theory, could use access to Okta to breach accounts of its customers. The cybercrime group typically steals data and then holds it for ransom. The group claimed that it did not access any of Okta’s databases directly. “[O]ur focus was ONLY on okta customers,” the gang wrote.

The visual evidence


Security researcher Bill Demirkapi posted a Twitter thread late Monday with screenshots from the Telegram page where Lapsus$ has posted evidence of other alleged intrusions into major corporate networks, including Microsoft, Nvidia and Samsung.

The eight screenshots include images that appear to show Okta’s Slack channels, and a “Superuser” dashboard for Cloudflare, a major content delivery network. Cloudflare CEO Matthew Prince tweeted early Tuesday morning that the company was aware “Okta may have been compromised,” but added that there was no evidence Cloudflare had been compromised. “Okta is merely an identity provider,” Prince wrote. “Thankfully, we have multiple layers of security beyond Okta, and would never consider them to be a standalone option.”

Later Tuesday, Cloudflare posted an explanation and timeline of its incident response. Cloudflare customers “do not need to take any action unless they themselves use Okta,” it said.

The recent burst of activity by Lapsus$ has drawn worldwide attention to a hacking group that claims to be financially motivated, with no particular allegiance to any nation-state. Security researchers haven’t been able to pin down the organization’s locus of activity, although some evidence suggests Lapsus$ could be based in South America, possibly Brazil, with cells potentially elsewhere.


Okta’s services are approved for U.S. government use under the FedRAMP program, which certifies the security of cloud-based services. Agency customers include the Federal Communications Commission and the Centers for Medicare and Medicaid Services.

Bradbury said Tuesday that “there is no impact” to customers who use it under FedRAMP authority.

The Lapsus$ hackers had made a point of calling out the federal certification by name: “For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor,” the group wrote in the message that included the screenshots.

In May 2021, the company also received provisional authority to operate from the Defense Information Systems Agency (DISA) within Impact Level 4 networks — the Pentagon’s designation for controlled unclassified information.

John Hewitt Jones contributed to this story.

Latest Podcasts