What is Lapsus$, and how did it affect Okta?

The recent Okta hack by Lapsus$ brings significant security concerns for businesses reliant on Okta's access management services. Discover how to secure your company’s data and respond to potential security impacts.

2024-01-17

What is Lapsus$, and how did it affect Okta?

In 2025, attacks on access management services, such as Okta's, have underscored the need for vigilance and proactive security measures. For companies like FedEx, T-Mobile US, and Coinbase, which rely on Okta for authentication, this breach raises serious security concerns that go beyond their own walls, affecting clients, employees, and service users. Here’s a detailed look at the breach, who’s at risk, and what companies can do to mitigate their exposure.

Who Is Affected by the Okta Breach?

Okta's authentication services are significant for thousands of companies worldwide, with over 15,000 customers and more than 100 million end users on its platform. While Okta has stated that only 2.5% of its customers were affected, any breach in an access management platform can have wide-reaching impacts. The primary concern here is that Okta is not just any service provider—its systems manage user credentials and access for some of the world’s largest corporations.

Affected customers include industry giants like FedEx, T-Mobile US, Coinbase, and Moody’s, all of whom rely on Okta's Single Sign-On (SSO) and multi-factor authentication (MFA) to secure their data and operations. Access management breaches such as this one can lead to cascading effects—vulnerabilities introduced through Okta’s platform could compromise these companies' data, affecting users globally.

What Is Lapsus$?

Lapsus$ is a rapidly emerging cyber threat actor that has distinguished itself not through traditional ransomware encryption, but through data extortion and disruption campaigns targeting high-profile enterprises. Known for compromising major organizations like Nvidia, Samsung, Ubisoft, and Microsoft, the group operates with an unusually brazen, high-visibility style that diverges from the covert nature of typical ransomware gangs.

Rather than relying solely on encrypting files for ransom, Lapsus$ leverages unauthorized access to internal systems to exfiltrate sensitive data—then publicly pressures its victims through social media platforms like Telegram, often releasing portions of the data to maximize reputational damage.

A notable example occurred in early 2022, when the group published alleged internal screenshots from Okta’s systems, claiming privileged access to authentication workflows. Lapsus$ also alleged that Amazon Web Services (AWS) keys were stored in Slack channels, underscoring a wider industry concern: many organizations still struggle with enforcing secure internal communication and access control policies.

Lapsus$ exemplifies the modern shift from traditional ransomware models to extortion-centric attacks that exploit human error, weak identity management, and insider access. As organizations modernize their infrastructure, identity security, privileged access governance, and internal collaboration hygiene must become board-level priorities to prevent similar breaches.

How Lapsus$ Operates: A Playbook of Modern Extortion

Unlike traditional ransomware groups that encrypt files and demand payment for decryption, Lapsus$ employs a data theft and extortion model that leverages social engineering, credential abuse, and privilege escalation. Their methods are technically unsophisticated but operationally bold and opportunistic. Here’s how a typical Lapsus$ attack unfolds:

Lapsus$ often acquires credentials through SIM-swapping, phishing, or buying insider access from initial access brokers. Employees at telecoms, IT helpdesks, and contractors are common entry points.

Bypassing MFA and Elevating Privileges

Once inside, the group targets identity infrastructure—such as Active Directory or Okta—to bypass multi-factor authentication (MFA) using session hijacking, stolen tokens, or social-engineered push fatigue.

Exfiltration, Not Encryption

Unlike classic ransomware gangs, Lapsus$ does not encrypt systems. Instead, it exfiltrates sensitive data, including source code, credentials, and internal documentation, often using common tools and channels.

Public Pressure via Telegram

Lapsus$ weaponizes public communication. After extracting data, the group typically announces the breach on its Telegram channel, sometimes live-leaking files to amplify impact and force companies into negotiations.

Exploitation of Poor Security Hygiene

Lapsus$ has frequently exposed internal security weaknesses—like hardcoded credentials, exposed APIs, or sensitive data shared via Slack or Jira—turning operational flaws into leverage points

Picture 1: Lapsus$ Attack Kill Chain: From Reconnaissance to Extortion

In short, Lapsus$ attacks aren’t a product of advanced technical tooling, but of privilege misuse, broken trust models, and human error. This makes them especially dangerous to organizations that rely on third parties, lack internal segmentation, or have inconsistent enforcement of security policies.

Timeline of the Okta Attack and How It Unfolded

The breach itself reportedly took place in January 2022, when attackers gained access to an Okta support engineer’s laptop for five days. While Okta has described this access as limited, Lapsus$ claims it gained “Superuser/Admin” access for over two months, and even went on to target Okta’s customers through that access.

Screenshots shared by the group reveal alleged Slack channels and a Cloudflare interface, with claims that Okta was storing sensitive access information in these spaces. These details suggest a significant security oversight on Okta's part, particularly given the sensitive nature of the data it manages.

Okta’s Response: Assessing the Impact

In a statement, Okta’s chief security officer David Bradbury downplayed the impact, emphasizing that attackers accessed only the support engineer’s level of permissions, which did not allow the creation or deletion of users. However, support engineers do have access to user lists, Jira tickets, and can reset passwords and MFA factors for end-users—capabilities that raise red flags among security experts.

While Okta claims no corrective actions are needed for most customers, many security researchers disagree, suggesting that even limited access can pose serious risks, particularly when it involves password resets or MFA adjustments.

Recommended Security Measures for Okta Customers

If your organization uses Okta, now is the time to re-evaluate security measures. Here are some key recommendations from Keepnet to strengthen defenses and safeguard access:

Implement Multi-Factor Authentication (MFA): While Okta offers MFA, reinforcing MFA protocols across user accounts is crucial. Enable MFA across all entry points, not just Okta, and opt for hardware security keys to increase resistance against phishing and MFA fatigue attacks.
Review Access Permissions and Logs Regularly: Ensure that support-initiated events are monitored closely. Given that the attacker exploited access to a support engineer’s device, prioritize reviewing permissions related to support staff and make sure that any suspicious MFA-related events are flagged for investigation.
Conduct Periodic Access Audits: Organizations using Okta should conduct regular security audits, ensuring that any unnecessary permissions are revoked and that user activity logs are monitored for anomalies. This should include scanning for any unexpected password resets, MFA reconfigurations, or admin-level access granted without authorization.
Educate and Train Staff on Phishing Risks: Phishing often exploits MFA fatigue and weak password protocols, leading to access breaches. Organizations should invest in security awareness training for employees to spot phishing attempts and reduce human errors that hackers frequently target. A phishing simulator can be a great tool to help staff recognize phishing emails and prevent credential compromise.
Partner with Security Experts to Strengthen Cybersecurity Posture: Working with cybersecurity consultants who understand access management can help bolster Okta’s inherent security. Keeping a proactive security posture minimizes the risks of cascading impacts if a vendor is compromised.

For more information on strengthening access management security, Keepnet Labs offers resources and tools like the phishing simulator and security awareness training.

How to Protect Your Organization from Lapsus$-Style Attacks

Lapsus$ is not a sophisticated APT group—they exploit human error, identity weaknesses, and poor operational discipline. That makes their attacks both preventable and scalable. Here’s how organizations can defend against this new wave of extortion:

1. Harden Identity Infrastructure

Lapsus$ routinely bypasses weak MFA and targets helpdesk workflows.

Enforce phishing-resistant MFA (e.g., FIDO2, authenticator apps with number matching)
Disable legacy protocols like IMAP/POP where possible
Lock down self-service password reset flows
Monitor for MFA fatigue patterns (repeated prompts)

2. Protect Privileged Access

Use Just-in-Time (JIT) access and Privileged Access Management (PAM) tools
Enforce least privilege across admin roles, developers, and contractors
Monitor for abnormal behavior across identity providers (Okta, Azure AD)

3. Monitor Insider Risk and Initial Access Vectors

Conduct regular audits for password reuse, token leakage, and credential exposure (GitHub, Slack, Jira)
Enable SIM-swap monitoring for high-risk employees
Review and harden helpdesk protocols to resist social engineering

4. Secure Developer & Cloud Workflows

Restrict access to source code repositories
Rotate credentials stored in CI/CD pipelines or messaging apps
Use DLP and CASB tools to flag unusual access or exfiltration behaviors

5. Establish a Strong Human Risk Management Program

Train staff to recognize social engineering, voice phishing, and session hijacking
Deploy phishing simulations and adaptive micro-training when risky behavior is observed
Leverage platforms like Keepnet’s Human Risk Management Platform to continuously reduce behavioral attack surface

6. Prepare for Extortion and Disclosure

Build and rehearse an extortion playbook: legal, PR, security, and executive alignment
Monitor Telegram and breach forums for mentions of your company
Have plans in place to communicate breaches transparently, without succumbing to coercion

Bottom line: Lapsus$ doesn’t exploit zero-days—they exploit broken trust models. You can stop them by fixing identity gaps, reinforcing human behavior, and preparing for the tactics they’ve already published.

Editor’s note: This blog was updated July 10, 2025

Schedule your 30-minute demo now

You'll learn how to:

Implement multi-factor authentication solutions tailored to protect against advanced phishing attempts and credential theft.

Leverage phishing simulators to train employees to recognize and respond to phishing tactics effectively.

Monitor and track suspicious activity through centralized risk management to stay ahead of threats.

Frequently Asked Questions

What makes Lapsus$ different from traditional ransomware groups?

Unlike conventional ransomware actors who encrypt data and demand payment for decryption keys, Lapsus$ primarily uses data exfiltration and extortion tactics. They publicly leak stolen data through platforms like Telegram to pressure victims into compliance. Their approach is low-tech but high-impact, relying heavily on social engineering, insider access, and poor identity controls rather than sophisticated malware.

How does Lapsus$ gain initial access to enterprise environments?

Lapsus$ typically exploits compromised credentials, SIM-swapped phone numbers, or insider threats to gain entry into corporate systems. They often acquire credentials via phishing, buy them on dark web marketplaces, or directly convince insiders to provide access. In some cases, they abuse help desk procedures to reset passwords or bypass multi-factor authentication (MFA).

Can MFA stop a Lapsus$ attack?

Standard MFA provides a basic defense, but Lapsus$ has shown the ability to bypass weak MFA implementations. They often succeed by abusing push notification fatigue (spamming users with MFA requests) or by compromising session tokens. To stop such threats, organizations should implement phishing-resistant MFA methods like FIDO2, hardware tokens, or number-matching authenticators, and disable legacy login protocols.

What are common identity and access management failures exploited by Lapsus$?

Lapsus$ targets flaws in Identity and Access Management (IAM) systems such as:

• Overly permissive admin roles

• Misconfigured Okta or Azure AD settings

• Lack of Just-in-Time (JIT) access

• Token persistence and session hijacking

• Inadequate monitoring of privileged account behavior

Why are helpdesk protocols a critical attack vector for Lapsus$?

Lapsus$ frequently bypasses security controls by exploiting social engineering weaknesses in IT help desks. For example, they impersonate users to trigger password resets or MFA removal. Organizations must harden help desk processes by enforcing strict identity verification, using knowledge-based authentication alternatives, and flagging high-risk accounts for manual review.

How can developers protect source code repositories from Lapsus$-style exfiltration?

Developers and DevOps teams must secure access to repositories by using role-based access control (RBAC), rotating credentials stored in CI/CD pipelines, and removing hardcoded secrets from codebases. Auditing tools like git-secrets and secrets scanners should be integrated into pipelines. In addition, developers should use signed commits and enforce branch protection rules to prevent tampering.

What role does insider threat play in Lapsus$ campaigns?

Lapsus$ has a documented history of recruiting insiders via underground forums or social channels. They entice employees with money in exchange for VPN credentials or privileged access. Organizations should implement user behavior analytics (UBA), session recording, and insider risk management programs to detect anomalies tied to privileged accounts.

Which monitoring tools are most effective against Lapsus$ attacks?

Detecting Lapsus$ tactics requires visibility across identity, endpoint, and cloud platforms. Tools such as SIEM/SOAR platforms, UEBA, and Cloud Security Posture Management (CSPM) solutions can surface suspicious patterns like abnormal login locations, unusual file movement, or privilege escalations. Integration with Okta logs, M365 audit trails, and EDR telemetry is essential.

What should a Lapsus$ incident response plan include?

A Lapsus$-specific IR plan should prioritize:

• Rapid isolation of affected identity and cloud assets

• Revocation of active sessions and access tokens

• Identification of data exfiltration scope

• Media and legal response aligned with breach disclosure laws

• Crisis communication for stakeholders, including customers and regulators

Preparation should include tabletop exercises, Telegram monitoring, and legal review of ransom scenarios.

How does Keepnet help reduce the risk of Lapsus$ attacks?

Keepnet’s Human Risk Management Platform addresses the human layer of cybersecurity, which Lapsus$ consistently targets. With Keepnet, organizations can:

• Run real-world phishing, smishing, vishing, and QR phishing simulations

• Detect behavioral vulnerabilities via user-level risk scoring

• Deliver adaptive micro-learning immediately after simulated or real incidents

• Improve incident response with automated phishing reporting and IOC sharing

These capabilities form a behavioral firewall that makes Lapsus$-style social engineering far less effective.