Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

Okta LAPSUS$ Incident Resource Center

Avatar
Ingrid
Follow

March 24, 2022:

Between January 16-21, 2022, an attacker from LAPSUS$ (a digital extortion group) had access to the laptop of an Okta Customer Support Engineer who was working for an Okta third-party provider. Support Engineers have limited access/permissions, including:

  • Access to Jira tickets.
  • Access to Okta user lists.
  • Can facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.
  • Cannot create or delete users.
  • Cannot download customer databases.

Resources

What You Can Do

Determine If You’re Affected

  • Work with Okta to determine if your organization was one of the estimated 2.5% of Okta users accessed by LAPSUS$.
  • Search your Okta logs and applications using Okta for unusual activity, such as user impersonation, password resets, and multi-factor authentication changes.
  • Though the critical time frame that the attacker had access to Okta was between January 16th-21st, we recommend extending the search beyond the 21st and searching for other signs of intrusion to determine if the attackers were able to further penetrate and persist in your environment.

Search Across Your Portfolio

Third Parties

Identify which organizations in your third-party ecosystem may have been affected.

  1. Ensure the appropriate portfolio option is selected from the Context Switcher dropdown.
  2. Navigate to your Companies List [ Portfolio Risk ➔ Companies List].
  3. Select “Okta, Inc.” from the Service Provider filter to narrow your search.
  4. Move these companies for analysis into a new folder for ease of access.

Fourth Parties

Additionally, refer to the following instructions to see potentially impacted providers if you are using Bitsight for 4th Party:

  1. Go to the Service Providers Used by Third parties page [Hierarchy Icon 4th Party Risk ➔ Service Providers].
  2. Select your folder containing your potentially impacted third parties from the Context Switcher dropdown.
  3. Enter “Okta” in the top-right search bar.
  4. Select OptionsView dependent companies for Okta Group to see organizations within the folder that are dependent on Okta Group.

This data can be exported (.csv) using the Export button at the top-right of the service provider details window.

Collaborate With Your Third Parties

Contact those organizations to confirm their use of Okta or use the Enable Access Program. Determine what steps they're taking to confirm or refute that they've been affected and ask that they keep you informed on the state of their investigation.

March 24, 2022:

Between January 16-21, 2022, an attacker from LAPSUS$ (a digital extortion group) had access to the laptop of an Okta Customer Support Engineer who was working for an Okta third-party provider. Support Engineers have limited access/permissions, including:

  • Access to Jira tickets.
  • Access to Okta user lists.
  • Can facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.
  • Cannot create or delete users.
  • Cannot download customer databases.

Resources

What You Can Do

Determine If You’re Affected

  • Work with Okta to determine if your organization was one of the estimated 2.5% of Okta users accessed by LAPSUS$.
  • Search your Okta logs and applications using Okta for unusual activity, such as user impersonation, password resets, and multi-factor authentication changes.
  • Though the critical time frame that the attacker had access to Okta was between January 16th-21st, we recommend extending the search beyond the 21st and searching for other signs of intrusion to determine if the attackers were able to further penetrate and persist in your environment.

Search Across Your Portfolio

Third Parties

Identify which organizations in your third-party ecosystem may have been affected.

  1. Ensure the appropriate portfolio option is selected from the Context Switcher dropdown.
  2. Navigate to your Companies List [ Portfolio Risk ➔ Companies List].
  3. Select “Okta, Inc.” from the Service Provider filter to narrow your search.
  4. Move these companies for analysis into a new folder for ease of access.

Fourth Parties

Additionally, refer to the following instructions to see potentially impacted providers if you are using Bitsight for 4th Party:

  1. Go to the Service Providers Used by Third parties page [Hierarchy Icon 4th Party Risk ➔ Service Providers].
  2. Select your folder containing your potentially impacted third parties from the Context Switcher dropdown.
  3. Enter “Okta” in the top-right search bar.
  4. Select OptionsView dependent companies for Okta Group to see organizations within the folder that are dependent on Okta Group.

This data can be exported (.csv) using the Export button at the top-right of the service provider details window.

Collaborate With Your Third Parties

Contact those organizations to confirm their use of Okta or use the Enable Access Program. Determine what steps they're taking to confirm or refute that they've been affected and ask that they keep you informed on the state of their investigation.

Related articles