Official Okta Statement on LAPSUS$ Claims
Last updated: 03/22/2022 12.00pm, Pacific Time
Please note - Following this update all further information will be published at:
The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers. In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.
Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.
The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and Multi Factor Authentication for users, but are unable to obtain those passwords.
We are actively continuing our investigation, including identifying and contacting those customers that may have been impacted. There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.
We take our responsibility to protect and secure our customers' information very seriously. We are deeply committed to transparency and will communicate additional updates when available.
Update (3/22/2022 2.15am, Pacific Time):
In late January 2022, Okta detected an attempt to compromise the account of a third-party customer support engineer working for one of our sub-processors.
The matter was investigated and contained by the sub-processor.
We believe the screenshots shared online are connected to this January event. Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.