January 25, 2025

The Third-Party Okta Hack Is Bad

Authentication firm Okta’s statements on the Lapsus$ breach fails to answer key questions.

A DIGITAL EXTORTION group threw the security world into disarray on Monday with claims that it had gained access to a “super user” administrative account for the identity management platform Okta. This claim is bad since Okta claims that it is “The World’s #1 Identity Platform”. Since so many organizations use Okta as the gatekeeper to their suite of cloud services, such an attack could have major ramifications for any number of Okta customers. While Okta has released new details—including clarifying what “super user” means and the potential extent of the breach—questions about the incident, and the company’s handling of it, remain unanswered.

Okta said in a short statement that in late January it had “detected an attempt to compromise the account of a third-party customer support engineer working for one of our subprocessors,” but that “the matter was investigated and contained by the subprocessor.”

In another statement, Okta’s chief security officer, David Bradbury, said categorically, “The Okta service has not been breached.” But in a confusing turnaround, eight hours after posting Bradbury’s statement, Okta updated the notice with some expanded information. Okta admitted that roughly 2.5 percent of its customers “have potentially been impacted,” adding that their data “may have been viewed or acted upon.” In a later update, the company clarified that the “maximum potential impact” of the breach is around 366 of its more than 14,000 customers as of February.