The Okta Breach: What You Should Be Doing


On March 22, 2022, the threat group LAPSUS$ announced the compromise of Okta. Okta is an enterprise-grade Multi-Factor and Identity and Access Management (IAM).

Recently, the LAPSUS$ group has made statements of breaching high-value targets, but has provided very little evidence of being successful into those attacks. It is now known that the attack on Okta was successful and approximately 366 customers were impacted. Though the details of the attack are still quite limited, what we know is that this attack was likely successful due to phishing or the acquisition of credentials through the bribing of an internal employee.

Regardless of the method, based on the screenshots shared by the attacker, it appears that a third-party support engineer's laptop was compromised and legitimate access was used.

At this time, we recommend the following actions:

  • Review Okta System logs for unusual "Reset Multifactor" events.
  • Review Okta system logs for unusual "Reset Password" events.
  • Review Okta System logs for unusual "Impersonation" events.
  • As always, keep an eye on any emails with the words "Reset Password" and "Reset Multifactor". If those events are observed, correlate them with corresponding Okta events.

We also recommend keeping a very close eye on the accounts used by support staff and privileged users in your organization. This attack has proven that though technical controls are necessary, we still have to harden the HumanOS.

If you are currently leveraging Critical Path Security's Managed Security services, please confirm that your Okta tenant has been enrolled.

As always, Critical Path Security is ready to assist you in the defense against these attacks.