Sooooooo not-so-comforting news on the MFA front today. Looks like a Costa Rican contract support guy for Okta got pwned in January and his credentials were used by LAPSUS to do some exploration of Okta clients. The fact that LAPSUS is publishing this now means (1) they no longer have the access and one of the following:

(a) they got nothing of consequence other than password reset access and are just really trying to ruin Okta’s first quarter.

(b) they got things of consequence from Okta customers by gaining creds to their cloud services and are now preparing to reap the rewards, and just want everyone to have a bad day

(c) some middle ground between the two.

In Okta’s customer support JIRA
This is fine. The tabs tho.
This is fine. Cloudflare better change some creds.
LAPSUS bein’ LAPSUS. The FEDRAMP slam is a little too on the nose…
Meanwhile in LAPSUS chat, people are posting spam links behind /DOWNLOAD and /torrent_LAPSUS_Nvidia_Part1 and LAPSUS is modding the content (lol)

LAPSUS is kinda…sus. It’s not clear that they’re profiting at all from the breaches they’ve conducted (NVidea, Microsoft, and Samsung included) and leaked data from. It’s not even clear if they intended to. As Marcus Hutchins said:


For its part, Okta says access was limited to what support techs have access to…which is stuff like password reset and such. Buuuuuut this may not be the full story. Even so, it’s not clear that LAPSUS got any real access to customer sites (though they may have some other interesting things):

So this sort of has the feel of the old LulzSec days–targets of opportunity at high profile companies mostly for lulz and not profit really:

Step 1: Gain employee level access to codez and sh*t

Step 2: Reveal all the things on Telegram for the lulz

Step 3: ???????

Step 4: PROFIT

There are lulz, no doubt. Okta is not going to share all the IoCs because they’re Okta. We’re never going to know what actually happened from a reliable source. So just assume that everything is screwed, and while you lulz check all your access logs for the Boys from Brazil or wherever they are.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: