back to article Okta acknowledges 'mistake' in handling of Lapsus$ attack

Identity-management-as-a-service outfit Okta has acknowledged that it made an important mistake in its handling of the attack on a supplier by extortion gang Lapsus$. In an FAQ published last Friday, Okta offered a full timeline of the incident, starting from January 20 when the company learned "a new factor was added to a …

  1. Cederic Silver badge


    Okta was a sensible choice because they offered a secure implementation of SSO standards that made it easy to integrate SaaS and other software.

    It also means they're easy to migrate away from because everything integrated to Okta is using standards their competitors all support.


    1. Anonymous Coward
      Anonymous Coward

      Re: standards

      "Okta was a sensible choice"

      nope, outsourcing your login to shitty cloud services is ALWAYS fucking stupid!

      1. Tom Chiverton 1

        Re: standards

        Most SME would struggle to run a remotely accessible globally redundant SSO host themselves, so what's the choice other than outsourcing to the cloud?

        1. Anonymous Coward
          Anonymous Coward

          Re: standards

          so what's the choice other than outsourcing to the cloud?

          Installing Keycloak on your own host.

        2. Anonymous Coward
          Anonymous Coward

          Re: standards

          Why would most SMEs require a geo redundant SSO.

  2. Paul Eagles

    Okta should be ashamed of the piss poor way they've communicated with customers around this. From their initial arrogant "It's all fine, trust us you idiots" statement right through their communication has been woeful.

    For a company that states "trust starts with transparency" on their Trust page ( I would like to think they'd be setting themselves higher standards.

    I've told one of their senior sales people as such but of course haven't had a response.

  3. EnviableOne

    They still dont seem to get it

    Okta was at an event I attended on Friday, and the stock response of there is nothing to see here is all they'd come out with.

    They don't seem to realise, the issue is not that they had an incident, it's how they knew about it for 2 months and didn't tell anyone. we would have been fine with "we have identified an issue at one of our sub-processors that may affect a limited number of our customers and we are investigating"

    followed by

    "the issue existed for 4 days from 10th Jan to 24th Jan, at our outsource customer service partner Sitel (Sykes) and may have affected up to 366 customers, we will update you when we receive the full report from our DFIR Partner <name>, and are informing the customers who may have been affected"


    "here is the full report"

    that would have maintained the trust with their customers, that their business is supposed to be built upon.

    1. Anonymous Coward

      Re: They still dont seem to get it

      All Okta's competitors (and even those companies who do it themselves) have had or will have incidents.

      All one can do is trust them to handle the incidents well when they occur.

      You gain trust with frequent, honest, and accurate reporting.

      You destroy trust with reporting like Okta's.

  4. Anonymous Coward
    Anonymous Coward

    Reset passwords? Surely access to these sensitive tools should be governed by a single, saml- or oidc-based sso applic-


    1. Anonymous Coward
      Anonymous Coward

      The "lost" factor recovery path is to security what DNS is to networking. If possession of your password (or your TOTP token, or your {factors}) is considered to be your identity, how can you possibly be allowed to recover it? If it's isn't, your security depends on whatever the recovery path will accept as proof of identity, which is invariably much weaker than even a weak password. In this case, it was whatever any of hundreds of outsourcing provider employees' laptops/workstations chose to say it believed.

      Oopta! It's not surprising that one of them was compromised; it would be surprising if none were. But even if they weren't, any recovery process is the soft underbelly of authn. They invariably place too much emphasis on getting people back to work quickly, instead of being the costly, intrusive, and time-consuming adversarial challenge they should. That Okta -- whose *entire business* is authn -- couldn't even be arsed to handle it themselves pretty much says it all.

  5. spireite Silver badge

    Okta, trusted

    Yet another oxymoron breaks out in to the public eye....

    I always get nervous when everyone higher up seems to think that cloud vendors of anything can do the job ALWAYS better than the inhouse team.

    Yet again, this is an example of 'outsourcing by another name' and 'this action shifts all responsibility from our company'...... no it doesn't.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like