Okta 2022 and 2023: When the Identity Provider Gets Hacked
Okta: The Compromised Gatekeeper
Okta is one of the world's leading identity providers (IdP). Thousands of companies use Okta to manage authentication for their employees and customers. Compromising Okta potentially means accessing all systems of all its customers.
The January 2022 Incident
What happened: the Lapsus$ group compromised the workstation of a support engineer at an Okta subcontractor (Sitel/Sykes). This access allowed viewing and modifying customer support sessions, including the ability to reset passwords and MFA tokens.
The problematic timeline: the attack occurred in January 2022. Okta was informed on January 20. Lapsus$ published screenshots on March 22, forcing Okta to communicate publicly. The two-month gap between detection and communication was heavily criticized.
Impact: according to Okta, 366 customers (about 2.5% of their base) were potentially affected. However, uncertainty about the exact scope forced many customers to reset their credentials as a precaution.
The October 2023 Incident
What happened: attackers accessed Okta's customer support system using a stolen service token. They were able to view HAR (HTTP Archive) files uploaded by customers during support requests. These files often contain session tokens and authentication cookies.
Direct victims: among clients whose support data was accessed, Cloudflare, 1Password, and BeyondTrust published statements. BeyondTrust had detected the intrusion and alerted Okta two weeks before Okta confirmed the incident.
Revised impact: Okta initially announced 134 affected customers. Then in November 2023, the figure was revised: data of all customer support system users (approximately 18,000 accounts) had been extracted.
The Recurring Pattern
Both incidents share common characteristics:
Lessons for Organizations
Your identity providers are SPOFs (Single Points of Failure). If your IdP is compromised, all your systems potentially are too.
Monitor access to your support tools. Support systems often have elevated privileges to help customers. They must be continuously monitored.
Do not share tokens in HAR files. If a vendor asks for a HAR file for debugging, remove cookies and tokens before sending.
Have a Plan B for authentication. If your IdP is compromised, can you quickly revoke all sessions and force re-authentication?
MFA alone is not enough. Both incidents show that Okta's security controls did not prevent access to internal systems through indirect vectors.
CleanIssue audits your identity provider configuration and identifies cascade compromise risks.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
LastPass 2022: How a Vault Dump Became Years of Pain for Users
Analysis of the LastPass compromise in 2022: theft of encrypted vaults, long-term impact, and lessons on password management.
SolarWinds 2020: The Supply Chain Attack That Changed Everything
Complete analysis of the SolarWinds Orion attack by Russian group Nobelium: method, impact on 18,000 organizations, and security lessons.
MOVEit 2023: How Cl0p Exploited a Zero-Day to Hit 2,500+ Companies
Technical analysis of the Cl0p campaign against MOVEit Transfer in 2023: the SQLi vulnerability, exploitation chain, and lessons.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.