Thursday, July 18, 2024

Lapsus$ Hacking Group Claims to Have Stolen Sensitive Data From Software Gaint Okta Solutions

Recently on March 22, 2022, several screenshots from the computer of one of Okta’s third-party support technicians were published online by the Lapsus$ hacking group claiming to have stolen sensitive data. 

There are many companies such as FedEx, Moody’s Corp (MCO.N), Peloton, SONOS, T-Mobile that rely on Okta to provide access to their networks primarily through authentication services. 

The Chief Security Officer at Okta, David Bradbury stated:-

“The sharing of these screenshots is embarrassing for myself and the whole Okta team. However, there is only a limited impact to Okta customers because the support engineers have access to the service.”

It is unclear how large the breach was, but since Okta manages networks and applications access for thousands of companies, it could have major consequences. But, David has assured that their identity was being investigated and they were being contacted by the company.

FedEx stated:-

“We are also investigating from our end, and currently have no indication that our environment has been accessed or compromised.”


  • January 20, 2022, 23:18: Okta Security received an alert that a new factor was added to a Sitel employee’s Okta account from a new location. The target did not accept an MFA challenge, preventing access to the Okta account.
  • January 20, 2022, at 23:46: Okta Security investigated the alert and escalated it to a security incident. 
  • January 21, 2022, at 00:18: The Okta Service Desk was added to the incident to assist with containing the user’s account. 
  • January 21, 2022, at 00:28: The Okta Service Desk terminated the user’s Okta sessions and suspended the account until the root cause of suspicious activity could be identified and remediated.
  • January 21, 2022, at 18:00: Okta Security shared indicators of compromise with Sitel. Sitel informed us that they retained outside support from a leading forensic firm. 
  • January 21, 2022, to March 10, 2022: The forensic firm’s investigation and analysis of the incident was conducted until February 28, 2022, with its report to Sitel dated March 10, 2022.
  • March 17, 2022: Okta received a summary report about the incident from Sitel
  • March 22, 2022, at 03:30: Screenshots shared online by LAPSUS$
  • March 22, 2022, at 05:00: Okta Security determined that the screenshots were related to the January incident at Sitel 
  • March 22, 2022, at 12:27: Okta received the complete investigation report from Sitel

Lapsus$ Compromised Okta Customer Data

Apart from this, after reaching earlier lows, shares of Okta were down 1.3% at $167.14 in late afternoon trading. ‘Lapsus$’ claims that it gained access to’s admin and superuser accounts, and has seen the customer data of Okta.

In the crowded ransomware market, Lapsus$ is only a relatively new member, but since its first hack and attention-seeking behavior, it has already made several waves and hype.

Not only that even earlier this year, but the Lapsus$ hacker group also compromised the websites of Impresa, tweeting that:-

“Lapsus$ is now the new president of Portugal.”

Okta’s internal tickets and internal Slack messages appear in images posted to Lapsus$’ Telegram account. While on Telegram, Lapsus$ reported breaching Azure DevOps source code repositories two days before boasting about hitting Okta.

Several screenshots shared by Lapsus$ indicate the date of the hack is January 21st, 2022, which indicates it was committed months ago, and this report is confirmed by the Okta co-founder and CEO Todd McKinnon.

However, there is no way to tell how many and to what extent Okta’s customers were affected by Lapsus$’s claims of unauthorized access to its systems.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles