Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


Okta said Tuesday that a forensic investigation that it commissioned found that the hacker group Lapsus$ accessed two active customer tenants during the January breach of a third-party support firm.

The threat actor “actively controlled” a workstation belonging to one engineer at the support firm, Sitel, for 25 consecutive minutes on January 21, during which time it accessed the two customers, Okta said in a blog post.

While Okta had previously said that as many as 366 customers may have been impacted in the breach, the findings from the new investigation point to the actual impact being “significantly less than the maximum potential impact that Okta initially shared.”

The findings are based on a “thorough investigation [by] our internal security experts, as well as a globally recognized cybersecurity firm whom we engaged to produce a forensic report,” Okta said.

The identity and access management firm said this concludes its investigation into the breach.

During the 25-minute window of time, “the threat actor accessed two active customer tenants within the SuperUser application (whom we have separately notified), and viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants,” Okta said.

The company did not specify what actions were taken by Lapsus$ while it accessed the two customers, but noted several things that the threat actor did not do during that period. “The threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support ‘impersonation’ events,” Okta said in the post. “The threat actor was unable to authenticate directly to any Okta accounts.”

The findings showing that the Lapsus$ breach was restricted to January 21 come in contrast to the initial disclosure, based on a forensic report commissioned by Sitel, that suggested the attacker had access to a support engineer’s laptop from January 16-21.

Slow to disclose?

Okta did not disclose the incident until March 22, and only then in response to Lapsus$ posting screenshots on Telegram as evidence of the breach. The lack of prompt disclosure ignited a debate in the cybersecurity community, with some criticizing the vendor for its handling of the breach.

Okta ultimately said it “made a mistake” in its response to the incident, and “should have more actively and forcefully compelled information” about what occurred in the breach.

In the blog post Tuesday, Okta said that it recognizes “how vital it is to take steps to rebuild trust within our broader customer base and ecosystem.”

“The conclusions from the final forensic report do not lessen our determination to take corrective actions designed to prevent similar events and improve our ability to respond to security incidents,” Okta said. “That starts with reviewing our security processes and pushing for new ways to accelerate updates from third parties and internally for potential issues, both big and small. We will continue to work to assess potential risks and, if necessary, communicate with our customers as fast as we can.”

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.