Lapsus$ Claims Okta Breach via Third-Party Support Contractor

The extortion crew known as Lapsus$ posted a series of screenshots on its Telegram channel today purporting to show internal access to identity-and-access management vendor Okta, sparking concern across the thousands of enterprises that rely on Okta for single sign-on.

The screenshots show what appears to be administrative interfaces for Okta customers, Slack channels, and a Cloudflare admin panel. Lapsus$ claimed it had access for two months starting in January 2022 and emphasized that its target was Okta's customers rather than Okta itself.

Okta CEO Todd McKinnon initially downplayed the impact, but the company subsequently confirmed that approximately 366 customers — roughly 2.5 percent of its customer base — were potentially affected via a compromised laptop belonging to a customer-support engineer at Sitel, a third-party contractor.

"The transitive trust here is the lesson," said Brian Krebs in a widely shared blog post. "If your identity provider's helpdesk vendor can be popped by a teenager, your entire SSO posture is downstream of their procurement decisions."

Lapsus$ has been on a months-long rampage, previously claiming compromises of Nvidia, Samsung, Vodafone, Ubisoft, and Microsoft's Bing source code. The City of London Police arrested seven individuals in connection with the group later this week; researchers have linked at least one member to a 16-year-old in Oxford, England.