{ "id": "c72f5ac5-cbaf-416d-a54c-7e3d00a2f9d5", "created_at": "2026-04-06T00:15:31.60844Z", "updated_at": "2026-04-10T03:28:46.838883Z", "deleted_at": null, "sha1_hash": "3a6491f03e6866bb195993c0ff8fb4aaf4f330d3", "title": "New Report on Okta Hack Reveals the Entire Episode LAPSUS$ Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 319944, "plain_text": "New Report on Okta Hack Reveals the Entire Episode LAPSUS$\r\nAttack\r\nBy The Hacker News\r\nPublished: 2022-03-29 · Archived: 2026-04-05 15:53:14 UTC\r\nAn independent security researcher has shared what's a detailed timeline of events that transpired as the notorious\r\nLAPSUS$ extortion gang broke into a third-party provider linked to the cyber incident at Okta in late January\r\n2022.\r\nIn a set of screenshots posted on Twitter, Bill Demirkapi published a two-page \"intrusion timeline\" allegedly\r\nprepared by Mandiant, the cybersecurity firm hired by Sitel to investigate the security breach. Sitel, through its\r\nacquisition of Sykes Enterprises in September 2021, is the third-party service provider that provides customer\r\nsupport on behalf of Okta.\r\nThe authentication services provider revealed last week that on January 20, it was alerted to a new factor that was\r\nadded to a Sitel customer support engineer's Okta account, an attempt that it said was successful and blocked.\r\nThe incident only came to light two months later after LAPSUS$ posted screenshots on their Telegram channel as\r\nevidence of the breach on March 22.\r\nhttps://thehackernews.com/2022/03/new-report-on-okta-hack-reveals-entire.html\r\nPage 1 of 3\n\nThe malicious activities, which gave the threat actor access to nearly 366 Okta customers, occurred over a five-day window between January 16 and 21, during which the hackers carried out different phases of the attack,\r\nincluding privilege escalation after gaining an initial foothold, maintaining persistence, lateral movement, and\r\ninternal reconnaissance of the network.\r\nOkta claimed that it had shared indicators of compromise with Sitel on January 21 and that it received a summary\r\nreport about the incident from Sitel only on March 17. Subsequently, on March 22, the same day the criminal\r\ngroup shared the screenshots, it said it obtained a copy of the complete investigation report.\r\nSubsequently, on March 22, the same day the criminal group shared the screenshots, it obtained a copy of the\r\ncomplete investigation report.\r\n\"Even when Okta received the Mandiant report in March explicitly detailing the attack, they continued to ignore\r\nthe obvious signs that their environment was breached until LAPSUS$ shined a spotlight on their inaction,\"\r\nDemirkapi wrote in a tweet thread.\r\nThe San Francisco-based company, in a detailed FAQ posted on March 25, acknowledged that its failure to notify\r\nits users about the breach in January was a \"mistake.\"\r\n\"In light of the evidence that we have gathered in the last week, it is clear that we would have made a different\r\ndecision if we had been in possession of all of the facts that we have today,\" Okta said, adding it \"should have\r\nmore actively and forcefully compelled information from Sitel.\"\r\nhttps://thehackernews.com/2022/03/new-report-on-okta-hack-reveals-entire.html\r\nPage 2 of 3\n\nSitel, for its part, said it's \"cooperating with law enforcement\" on the incident and has clarified that the breach\r\naffected \"a portion of the legacy Sykes network only,\" adding it \"took swift action to contain the attack and to\r\nnotify and protect any potentially impacted clients who were serviced by the legacy organization.\"\r\nThe development comes as the City of London Police told The Hacker News last week that seven people\r\nconnected to the LAPSUS$ gang were arrested and subsequently released under investigation. \"Our enquiries\r\nremain ongoing,\" the agency added.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/03/new-report-on-okta-hack-reveals-entire.html\r\nhttps://thehackernews.com/2022/03/new-report-on-okta-hack-reveals-entire.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2022/03/new-report-on-okta-hack-reveals-entire.html" ], "report_names": [ "new-report-on-okta-hack-reveals-entire.html" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434531, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a6491f03e6866bb195993c0ff8fb4aaf4f330d3.pdf", "text": "https://archive.orkl.eu/3a6491f03e6866bb195993c0ff8fb4aaf4f330d3.txt", "img": "https://archive.orkl.eu/3a6491f03e6866bb195993c0ff8fb4aaf4f330d3.jpg" } }