March 22, 2022

Official Okta Statement on LAPSUS$ Claims

David Bradbury

Last updated: 03/22/2022 12.00pm, Pacific Time

Please note - Following this update all further information will be published at:
https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/

The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers. In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and Multi Factor Authentication for users, but are unable to obtain those passwords.

We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

We take our responsibility to protect and secure our customers' information very seriously. We are deeply committed to transparency and will communicate additional updates when available.

Update (3/22/2022 2.15am, Pacific Time):

In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our sub-processors.

The matter was investigated and contained by the sub-processor.

We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.

David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping Okta’s customers continue to adopt and accelerate Zero Trust security strategies.

Prior to joining Okta, Bradbury was Senior Vice President and Chief Security Officer at Symantec where he led and had global oversight of all cyber security and physical security programs.

Bradbury has built an international reputation for leading and delivering cybersecurity at scale. He has worked across his native Australia, as well as in the United Kingdom and the United States, leading highly-regarded security teams at some of the world’s largest banks, including ABN AMRO, Barclays, Morgan Stanley and the Commonwealth Bank of Australia. He holds a B.S. in Computer Science from the University of Sydney.