Skip to main content

Okta ends Lapsus$ hack investigation, says breach lasted just 25 minutes

Okta ends Lapsus$ hack investigation, says breach lasted just 25 minutes


A forensic report concluded that the scope of access was far smaller than first thought, but customer trust may be hard to recover

Share this story

An image showing a laptop with “Error” notifications on the screen
Photo by Amelia Holowaty Krales / The Verge

Three months after authentication platform Okta was breached by hacking group Lapsus$, the company has concluded its internal investigation after finding that the impact was less serious than initially believed.

In a blog post published Tuesday, Okta’s chief security officer David Bradbury noted that the company had been transparent by sharing details of the hack soon after it was discovered but that further analysis had downgraded early assessments of the potential scope.

“As a result of the thorough investigation of our internal security experts, as well as a globally recognized cybersecurity firm whom we engaged to produce a forensic report, we are now able to conclude that the impact of the incident was significantly less than the maximum potential impact Okta initially shared on March 22, 2022,” Bradbury wrote.

Hackers from the Lapsus$ hacker group compromised Okta’s systems on January 21st by gaining remote access to a machine belonging to an employee of Sitel, a company subcontracted to provide customer service functions for Okta. Details of the hack emerged two months later when a member of Lapsus$ shared screenshots of Okta’s internal systems in a Telegram channel — an incident that Bradbury labeled “an embarrassment” for the Okta security team.

“The impact of the incident was significantly less than the maximum potential impact Okta initially shared”

More than an embarrassment, the breach was especially worrying because of Okta’s role as an authentication hub for managing access to numerous other technology platforms. For companies using enterprise software like Salesforce, Google Workspace, or Microsoft Office 365, Okta can provides a single point of secure access, letting administrators control how, when, and where users log on — and, in a worst-case scenario, give a hacker access to a company’s entire software stack at once.

In a briefing with press and customers held in March, Bradbury said that the company’s security protocols had limited the hackers’ access to internal systems, a statement that seems to have been borne out by the final investigation.

While Okta’s early report concluded that the maximum period of unauthorized access was no more than five days, the recent forensic report found that the access period was actually just 25 minutes. And where the previous impact assessment capped the maximum number of organizations affected at 366, the new report found that only two Okta customers’ authentication systems had been accessed.

During this brief access period, Lapsus$ had not been able to authenticate directly to any customer accounts or make configuration changes, Okta said.

In light of the forensic report, Okta’s handling of the breach seems to have been done in accordance with best practices for disclosure and response, although the company’s reputation may still have taken a hit.

“While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta,” Bradbury said.