< Back to Blog
Responding to the Okta Breach
Security Best Practices & Advice

Responding to the Okta Breach

By Hunter Markman Mar 29, 20224 min read

By now, you’ve probably heard about the Okta breach by the malicious hacker group Lapsus$. Here’s everything you need to know—from how to tell if you’re exposed, to how to respond and try to mitigate your risk exposure.

Okta, a leading provider of Authentication Services and Identity and Access Management (IAM) solutions, says it is investigating claims of a data breach. Okta reports having over 3,800 employees and over 15,000 customers worldwide.

IT’S FREE, AND JUST TAKES A MINUTE Take Control of Your Third-Party Security

Lapsus$ is a threat actor group believed to be based in Brazil. The group gained notoriety in 2020 for breaching the Brazilian Health Ministry’s computer systems and later attacking other organizations such as Samsung, MercadoLibre, Vodafone and Ubisoft. Their MO is to compromise employee credentials and then to exfiltrate that customer data under the behavior of a legitimate user.

What happened?

Okta suffered a third-party breach. On March 22, 2022, Lapsus$ leaked screenshots of alleged Okta customer data. In January 2022, Okta had detected an unsuccessful attempt to compromise the account of a third-party customer support engineer working for Sitel. This, it appears, is when the Lapsus$ attack occurred. Okta immediately shared suspicious IP addresses with a third-party forensics firm.

How bad is it?

Lapsus$ seems to have acquired “superuser/admin” access to Okta.com and subsequently accessed Okta customer data. The group’s stated intent is not to target Okta specifically, but to compromise customers using Okta as a third party.

As it was announced by Okta, there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. What was also mentioned is that the damage potential to Okta customers is limited to the access their third-party support engineers have. These employees supposedly do not hold customer databases. They do however, manage Jira tickets with limited lists of users. Furthermore, as a sub-processor, they likely had high privileges to the customer accounts of Okta.

Moreover, the actions Lapsus$ was able to execute include resetting customer passwords and potentially changing the email address linked to an account – locking the customer out with devastating effects. The bottom line is that Okta suffered a third-party breach, and as the third-party of so many companies – caused a massive third-party breach of their own.

Who might be impacted?

Any customers using Okta services and any organization whose third parties use Okta as an IdP may be compromised. Okta believes approximately 2.5% of their customers have been impacted, including having their data compromised. They have identified those customers and are contacting them.

What should you do? Follow these steps:


  • Identify whether your company, or any of your critical third party vendors and partners, are using Okta as an IdP. Your third-party risk management platform can help you with the identification process. If you are an Okta customer, reach out to them directly inquiring about your impact.
  • Review Okta sign-in activity for anomalies.


  • Shorten the user session expiry period in your Okta configuration.
  • Review your enforcement policies in place for multi-factor authentication of your identities (ideally with an authenticator app).
  • Unprovision any unused identities (users) in your organization.
  • Enable user notifications for new sign-ins, new factor enrollment and factor resets.
  • Follow Panorays’ news page for updates on this breach. Panorays customers can also follow the Okta vendor page and “Cyber News & Data Breaches” section of the Panorays platform for continuous updates on this breach.


  • Mitigate future risk by considering upgrading your third-party security risk management approach.
  • Refer to Panorays’ Third-Party Incident Response Playbook to help you prepare for and respond to incidents like these with your third parties.
  • Communicate to employees the need for extra vigilance and the need to notify security administrators about any upticks in phishing attempts in particular.
  • Communicate to your third parties about steps you are taking to mitigate damages that they can mimic.
  • Be on alert for updates from Okta about possible compromises, and try to leverage your cybersecurity stack for added visibility and alert of any suspicious activity, especially password resets.

Panorays’ third-party security management platform automatically identifies your third parties as well as their vendors (your fourth parties), giving you clear insight into their security posture.

Want to get visibility and control over your third parties? It all starts with knowing who you are doing business with. Find out with Panorays today!

Author Thumbnail
Hunter Markman

Hunter Markman is a Product Marketing Manager at Panorays. In his spare time he enjoys hanging out with his wife and three cats and being a sartorial snob.

You may also like...
Sales Security Blog
Sep 28, 2022 Verifiable Security Posture Can Help Shorten Sales Cycles Aviva Spotts
Third-Party Security Risk Management
Sep 06, 2022 Third-Party Security Risk Management: A Critical Component of Your Risk… Aviva Spotts
Anatomy of a Healthcare Data Breach
Aug 03, 2022 Anatomy of a Healthcare Data Breach Demi Ben-Ari
Get Started Free
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe