Okta Lapsus$ third-party support breach

On 22 March 2022, the extortion group Lapsus$ posted screenshots of Okta's internal systems to its Telegram channel. Okta — an identity-and-access-management provider whose single-sign-on platform guards the logins of more than 15,000 organisations — was forced to confirm a security incident that had actually occurred two months earlier, in January, and had gone undisclosed.

What happened

The intrusion did not target Okta's own infrastructure directly. Instead, Lapsus$ compromised the network of Sitel (formerly Sykes), a third-party customer-support subprocessor Okta used. The group gained access to a Sitel support engineer's workstation and, on 21 January 2022, controlled it via Remote Desktop Protocol (RDP) for 25 consecutive minutes while it was logged into Okta's support tooling.

Okta's first warning came on 20 January 2022, when its security team received an alert that a new multi-factor-authentication factor had been added to a Sitel employee's Okta account from a new location. Okta suspended the account and launched an investigation, but the full scope only became clear once Lapsus$ went public.

Scope and limits

Support engineers operate with deliberately constrained privileges. They cannot create or delete users, cannot download customer databases, and cannot obtain plaintext passwords. They can view limited data such as Jira tickets and user lists, and can facilitate password and MFA resets.

Okta's messaging evolved as the investigation progressed:

• Initially, Okta stated the maximum potential impact was 366 customers — roughly 2.5% of its customer base — corresponding to everyone whose data the Sitel engineer's account could theoretically have touched during a five-day window (16–21 January).
• Its concluding April investigation confirmed that only two customer tenants were actually accessed, and that the attacker made no configuration changes, MFA/password resets, or customer-support "impersonation" actions.

The disclosure controversy

The most damaging aspect for Okta was not the technical scope — which was narrow — but the two-month gap between detection and disclosure. Customers and regulators criticised Okta for not notifying them when the incident was detected in January, learning of it only when Lapsus$ chose to publish. Okta itself acknowledged it should have moved faster and more transparently, and that it had relied too heavily on Sitel's own forensic timeline rather than demanding direct evidence sooner.

Why it matters

The Okta breach is a defining case in third-party and supply-chain identity risk. Okta sits at the centre of the trust web for thousands of organisations; a compromise of its support tooling — even a narrow, 25-minute one through a subcontractor — had outsized psychological and reputational impact precisely because of that position. The incident reinforced several hard lessons: that subprocessors inherit the blast radius of the principal, that detection without prompt disclosure erodes trust faster than the breach itself, and that even tightly-scoped support access must be monitored as a privileged path. It was also part of Lapsus$'s 2022 spree — alongside Microsoft, Nvidia, Samsung, and Uber — that showcased how a loosely-organised group of young actors could repeatedly defeat enterprise defences through social engineering rather than technical sophistication.