{ "id": "7fb71126-9d15-4078-a807-6c9a7eb5b9da", "created_at": "2026-04-06T03:36:06.413951Z", "updated_at": "2026-04-10T13:12:14.257408Z", "deleted_at": null, "sha1_hash": "76c080b5f9d1c809956847863828ae29569ab3ae", "title": "Okta confirms 2.5% customers impacted by hack in January", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1525601, "plain_text": "Okta confirms 2.5% customers impacted by hack in January\r\nBy Ionut Ilascu\r\nPublished: 2022-03-22 · Archived: 2026-04-06 03:11:07 UTC\r\nOkta, a major provider of access management systems, says that 2.5%, or approximately 375 customers, were impacted by a\r\ncyberattack claimed by the Lapsus$ data extortion group.\r\nThe company announced its conclusion today, saying that there are no corrective actions that its customers should take.\r\nFive-day opportunity window\r\nOkta confirmed today they suffered a security incident in January when hackers compromised a laptop of one of its support\r\nengineers that could initiate password resets for customers.\r\nhttps://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAn investigation into the breach showed that the threat actors had access to the laptop for five days, during which they were\r\nable to access Okta's customer support panel and the company's Slack server.\r\n“The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had\r\naccess to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday,” Okta says\r\nin an updated statement on the incident.\r\nScreenshots published by the Lapsus$ group show an email address of an Okta employee that appeared to have 'superuser'\r\nprivileges that allowed them to list users, reset passwords, reset MFA, and access support tickets.\r\nHowever, the company explains that if successful, such a compromise would be limited to the amount of access that support\r\nengineers have, which prevents creating or deleting users, or downloading customer databases.\r\n“Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the\r\nscreenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication [MFA]\r\nfactors for users, but are unable to obtain those passwords” - Okta\r\nIn a later update Tuesday evening, Okta is now stating that approximately 2.5% of its customers were affected by the\r\nLapsus$ cyberattack.\r\nAs Okta has over 15,000 customers, this means that approximately 375 organizations may have had accounts that were\r\ncompromised in some manner.\r\n\"We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we\r\nhave already reached out directly by email,\" explains Okta's Tuesday evening update.\r\nCloudflare reacts to Okta's breach\r\nIn the screenshots from Lapsus$ there is also an email address of a Cloudflare employee whose password was about to be\r\nreset by hackers that compromised the account of an Okta employee.\r\nIn a report today, web infrastructure and security company Cloudflare revealed that the company email account present in\r\nthe Lapsus$ screenshots was suspended about 90 minutes after its Security Incident Response Team (SIRT) received the first\r\nnotification of a potential problem, in the early morning of March 22 (03:30 UTC).\r\n“In a screenshot shared on social media, a Cloudflare employee’s email address was visible, along with a popup indicating\r\nthe hacker was posing as an Okta employee and could have initiated a password reset” - Cloudflare\r\nCloudflare notes that Okta services are used internally for employee identity integrated in the authentication stack and that\r\nits customers have nothing to worry about, “unless they themselves use Okta.”\r\nTo eliminate any chance of unauthorized access to its employee accounts, Cloudflare checked all password resets or\r\nmodified MFA since December 1, 2021. In total, 144 accounts fit the bill and the company forced a password reset on all of\r\nthem.\r\nOkta learned of the breach attempt after detecting “an unsuccessful attempt to compromise the account of a customer\r\nsupport engineer working for a third-party provider.”\r\nThe company notified the provider of the issue at the same time terminating the compromised user’s active sessions and\r\nsuspending their account.\r\nLapsus$ responds\r\nIn response to Okta’s statements today, the Lapsus$ group shared their part of the story saying that they did not compromise\r\nan Okta employee’s laptop but their thin client (low-performance system that connects remotely into a virtual environment\r\nto carry out tasks).\r\nhttps://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/\r\nPage 3 of 4\n\nThe hackers dispute Okta’s affirmation that the compromise was unsuccessful by claiming that they “logged in to superuser\r\nportal with the ability to reset the Password and MFA of ~95% of clients.”\r\nLapsus$ is known mostly for leaking proprietary data stolen from big companies like Samsung, NVIDIA, and Mercado\r\nLibre. The group has also claims to have breached Microsoft's internal Azure DevOps server and leaked 37 GB of source\r\ncode allegedly for Bing, Cortana, and other Microsoft projects.\r\nAnother breach the group claims is on LG Electronics, bragging that it's the second time in a year they hacked the\r\ncompany's systems.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/\r\nhttps://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/" ], "report_names": [ "okta-confirms-25-percent-customers-impacted-by-hack-in-january" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446566, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/76c080b5f9d1c809956847863828ae29569ab3ae.pdf", "text": "https://archive.orkl.eu/76c080b5f9d1c809956847863828ae29569ab3ae.txt", "img": "https://archive.orkl.eu/76c080b5f9d1c809956847863828ae29569ab3ae.jpg" } }