Learn how repeated breaches at a major identity provider exposed session tokens that bypassed MFA entirely.
• Attackers breached Okta twice in two years through different vectors, first via a third-party vendor and then through a compromised support system
• Session tokens stolen from HAR files bypassed MFA completely because they represent already-authenticated sessions
• Customers including BeyondTrust and Cloudflare detected the breach before Okta notified them, highlighting the importance of independent monitoring
• The incidents resulted in significant stock drops and a class action settlement
Your identity provider is supposed to be the most secure part of your stack. Okta’s repeated breaches prove that’s not always true. Two major incidents in two years showed attackers exactly how to bypass multi-factor authentication.
The pattern is what makes this case study valuable. In 2022, attackers compromised Okta through a third-party vendor. In 2023, they exploited a support system vulnerability. Both times, the company faced criticism for slow disclosure.
This case study examines both breaches, the technical mechanisms behind session token theft, and the lessons for security teams managing identity infrastructure.
These lessons apply whether you use Okta or another identity provider.
Okta serves over 18,000 customers as a critical identity infrastructure provider. When attackers compromise an identity provider, they gain potential access to every connected application. The Okta data breach pattern offers concrete lessons for security teams managing identity infrastructure.
Identity provider is a service that manages user authentication across multiple applications. Users sign in once and gain access to all connected systems. Because identity providers act as central authentication hubs, compromising one can cascade access to thousands of downstream applications.
The first incident came in January 2022 when the LAPSUS$ group compromised Sitel, a third-party support vendor. The second occurred in October 2023 through a compromised service account. Both times, customers detected suspicious activity before Okta notified them.
The 2022 breach demonstrated how third-party vendors extend your attack surface. Attackers never directly compromised Okta’s systems. Instead, they targeted Sitel, a customer support contractor with access to Okta’s internal tools.
LAPSUS$ gained access to Sitel’s systems through stolen VPN credentials. Once inside, they discovered a spreadsheet named “DomAdmins-LastPass.xlsx” containing domain administrator passwords. This discovery gave them elevated access to move laterally through Sitel’s network.
From Sitel’s environment, attackers accessed Okta’s internal systems through the support contractor’s authorized connections. The intrusion lasted five days, from January 16 to January 21, 2022. Okta’s security team received an MFA alert on January 20 and suspended the affected account.
According to LAPSUS$ claims posted on Telegram, they controlled Okta systems for approximately 25 minutes during the intrusion window. The group posted screenshots showing access to Okta’s internal Slack channels and customer support tools.
Two months passed between when Okta discovered the intrusion and when they publicly acknowledged it. LAPSUS$ forced the disclosure by posting screenshots on Telegram on March 22, 2022. Okta acknowledged the breach the same day.
The company initially claimed 366 customers (2.5% of the customer base) were potentially affected. They later revised this number down to only two customer tenants. However, the damage to trust had already occurred.
Okta’s stock dropped 11% following the disclosure, wiping approximately $6 billion from market capitalization.
The 2023 breach exploited a different vulnerability. This time, attackers targeted Okta’s own support infrastructure rather than a third party.
An Okta employee signed into a personal Google profile on their work laptop. They then saved Okta service account credentials to their personal Google account. When attackers compromised the personal account, they obtained those credentials.
The compromised service account had access to Okta’s customer support case management system. This system stored HAR files uploaded by customers for troubleshooting. HAR files often contain session tokens that remain valid.
Critical logging gaps prevented Okta from detecting the unauthorized access for 14 days. The attackers maintained access from September 28 through October 17, 2023.
HAR (HTTP Archive) files capture browser network traffic for debugging purposes. When customers upload HAR files to support systems, those files may contain active session cookies. Attackers who obtain these cookies can hijack active sessions.
Session hijacking occurs when attackers steal session tokens to impersonate authenticated users. Because session tokens represent completed authentication, attackers bypass passwords and MFA entirely. Attackers use stolen cookies to take over active sessions without needing credentials. This makes session token monitoring essential for detecting authentication attacks.
Session tokens bypass passwords and MFA completely. The authentication has already completed. Attackers use the stolen token to take over the authenticated session. This is why session hijacking has become a preferred attack method.
BeyondTrust’s security team detected suspicious activity on September 29, 2023. They notified Okta on October 2. Despite this warning, attackers remained active until October 18.
1Password also detected and reported unusual activity independently. Cloudflare was attacked on October 18, the day after Okta finally disabled the compromised account. Cloudflare publicly noted this was “the second time” they had been impacted by an Okta data breach.
Three customers detected the breach before Okta told them. Your own data breach detection matters more than waiting for vendor notifications.
The two breaches had different impacts, but both hurt Okta’s reputation.
Okta initially reported 366 customers potentially affected. After further investigation, they revised this to just two customer tenants who experienced actual unauthorized access.
LAPSUS$ was responsible for multiple high-profile breaches during this period. The group also targeted Microsoft and Samsung. They hit NVIDIA too. Their pattern involved public disclosure through Telegram to embarrass victims.
The reputational damage exceeded the direct technical impact.
Okta confirmed 134 customers were affected, representing less than 1% of the customer base. Of these, five customers experienced actual session hijacking attacks.
BeyondTrust and Cloudflare publicly disclosed being targeted. Their transparency contrasted with Okta’s slower disclosure timeline and helped the security community understand the attack methodology.
The attack demonstrated that even a small number of compromised customers can have significant consequences when they include high-profile names.
The 2022 disclosure triggered an 11% stock drop, erasing approximately $6 billion in market capitalization. The 2023 breach caused an 11.5% decline when Okta revealed how many customers were affected.
Two breaches in two years made investors nervous. This looked like a pattern, not a one-time mistake.
Okta reached a $60 million securities class action settlement announced in July 2024 and approved in November 2024. The settlement covered the class period from March 3, 2022, through August 31, 2022.
Shareholders alleged that Okta made misleading statements about its security practices and the scope of the LAPSUS$ breach. Okta didn’t admit wrongdoing, but $60 million is still a significant cost.
The pattern of customers detecting breaches before Okta notified them created lasting trust issues. Security teams began questioning whether they should implement additional monitoring rather than relying on Okta’s detection capabilities.
Cloudflare publicly called out that this was “the second time” they’d been hit by an Okta breach. When you’re choosing vendors, patterns matter more than one-time incidents.
Okta made changes after each breach.
After the 2022 breach, Okta dropped Sitel and tightened requirements for third-party vendors. They also started monitoring contractor access more closely.
After the 2023 breach, Okta blocked personal Google profiles on work devices. They also improved support system monitoring and told customers to remove session tokens from HAR files before uploading.
Okta added features that force re-authentication when your network changes. This makes stolen session tokens expire faster.
Okta also updated security training and disclosure policies. But all these changes came after the damage was done.
The repeated Okta data breach incidents offer concrete lessons if you manage identity infrastructure or rely on identity providers.
Multi-factor authentication protects the login process. Once authentication completes, the session token represents that completed process. Stealing the token means stealing the result of successful authentication.
Attackers increasingly target session tokens rather than passwords. Infostealer malware harvests browser cookies alongside credentials. Criminal marketplaces sell session tokens for high-value accounts.
Security teams should monitor for session token exposure through compromised credential monitoring services. If your identity provider offers session binding, enable it. This invalidates tokens when users switch networks or devices.
The Sitel breach enabled the Okta compromise without attackers ever directly targeting Okta’s infrastructure. Your security depends on the security of every vendor with access to your systems.
Third-party data breaches cascade into your environment when vendors have authenticated access. Monitor your vendors for security incidents. Implement least-privilege access for contractor accounts. Establish clear notification requirements in vendor contracts.
Third-party cyber risk management helps you track which vendors could put you at risk.
BeyondTrust and Cloudflare detected suspicious activity before Okta notified them. Their internal monitoring capabilities caught what Okta’s security team missed.
Don’t rely solely on vendor notifications for breach detection. Implement your own data breach monitoring capabilities. Watch for logins from unusual locations, new devices, or off-hours access.
Okta missed the attackers for 14 days because of logging gaps. Better logging catches attackers faster.
An employee’s personal Google account became the entry point for the 2023 breach. Personal devices and accounts fall outside corporate security controls but may have access to sensitive credentials.
BYOD policies need enforcement mechanisms. Consider whether personal accounts should be accessible on work devices. Train employees on the risks of saving work credentials to personal services.
When personal and work accounts mix, attackers find gaps. The Okta breach proved this when an employee’s personal Google account became the entry point.
The Okta breaches show what can go wrong with identity providers. Two incidents in two years. Slow disclosure both times. Customers detecting problems before Okta told them. Session tokens bypassing MFA. Third-party vendors creating attack vectors.
Key lessons for security teams:
The $60 million settlement and stock drops are just the measurable costs. The bigger issue is that security teams now think twice about trusting any identity provider completely.
Check if your credentials have been exposed with a dark web scan.
Session tokens represent already-authenticated sessions. When attackers steal these tokens from HAR files or browser data, they can impersonate users without triggering MFA challenges. The authentication already happened. This is why monitoring for session token exposure is critical for your security team.
BeyondTrust and Cloudflare both detected suspicious activity in their own systems before Okta alerted them. Okta didn’t detect the unauthorized access for 14 days. The lesson is clear: don’t rely solely on vendor notifications. Your internal monitoring catches what vendors miss.
The 2022 LAPSUS$ breach targeted a third-party vendor called Sitel to access Okta’s internal systems. The 2023 breach exploited a compromised service account when an employee saved credentials to a personal Google profile. Both involved credential theft but through different vectors.
The Okta breaches highlight risks inherent to any identity provider. Switching providers doesn’t eliminate session hijacking or credential theft risks. Focus on monitoring for credential exposure. Don’t rely solely on vendor security notifications.
Enable session binding in your identity provider so tokens expire when users switch networks or devices. Monitor for unusual login locations and anomalous admin activity. Use dark web monitoring to detect exposed credentials and tokens before attackers use them.
Data Breach Case Studies Healthcare Security Ransomware Credential Theft
What Happened in the Change Healthcare Breach? On February 21, 2024, Change Healthcare detected ransomware deployed …
Data Breach Case Studies Password Security Credential Theft
What Happened in the LastPass Data Breach? The LastPass data breach stands as one of the most consequential security …