Re: tentative: Okta may have been breached since late January

Royce Williams

That's compatible with the theory that they did keep quiet about it - until they were caught.

Okta's blog post has been updated:

Excerpt (emphasis mine):

After a thorough analysis of these claims, we have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.


On Tue, Mar 22, 2022 at 6:48 PM Tom Bentley <TomBent@...> wrote:
My first thought was that if they had obtained sufficient access to compromise clients they would have kept quiet about it.

On Mar 22, 2022, at 17:35, JP <jp@...> wrote:

Thanks again Royce. 

I have been watching this on some MSP forums as well, a security vendor posted this yesterday afternoon, I was also kind of waiting to see what this really is once the dust settles. Currently the concern among that community is that our vendors may have been using Okta for authentication and everyone is really gunshy since the Kaseya and Log4J events. So even though I don't personally employ Okta I am asking my vendors if they do. If I find anything I will be sure to reply here.

On Mon, Mar 21, 2022 at 10:34 PM Royce Williams <royce.williams@...> wrote:
Developing story - take with a grain of salt. If you use Okta, it might be useful for IR resources to start tentative evaluation of applicability to your environment.

Early speculation is that the threat actor (LAPSUS$) may have lost their foothold, and so decided to "burn" it for the exposure.


Join to automatically receive all group messages.