Few companies have had a worse two years publicly than Okta did between January 2022 and late 2023. The identity provider that underpins single sign-on for a substantial slice of the Fortune 1000 suffered three distinct and cascading incidents in that window, each of which taught its customers something uncomfortable about what it means to outsource identity to a third party. Taken individually, any of these incidents would have been a bad quarter. Taken together, they form one of the clearest supply chain case studies of the decade.
This retrospective walks through the three major events in order, pulls out what each one revealed, and connects them to the broader question every security program eventually has to answer: how do you depend on a vendor that is itself being attacked?
January 2022: The Lapsus$ Intrusion
On January 20, 2022, the extortion group Lapsus$ posted screenshots on Telegram that appeared to show administrative access to Okta's internal systems. The images were specific enough — Cloudflare's tenant, a customer support console, superuser features — to cause immediate panic. Okta's initial public response was to say that the screenshots were from an old investigation and that no customers had been impacted.
That statement did not hold. Over the following week, Okta's timeline shifted substantially. The actual intrusion had occurred between January 16 and January 21, 2022, via a compromised laptop belonging to a support engineer at Sitel, a third-party customer support contractor. Lapsus$ had taken over the Sitel engineer's session and had roughly five days of access to a support tooling environment called SuperUser, which allowed limited actions against around 366 Okta customer tenants — approximately 2.5% of Okta's customer base at the time.
Okta's security team had detected suspicious activity on January 20, 2022, revoked the Sitel session, and engaged a forensics firm. That forensics report was delivered to Okta in March — by which point Lapsus$ had already gone public. The gap between "we knew" and "we told customers" was the first real lesson. Customers learned about a breach affecting their tenants from Telegram before they learned about it from their identity provider.
CISA and other customers spent weeks reconstructing what SuperUser could actually do. The conclusion was that Sitel engineers could reset passwords and reset MFA for users within customer tenants, but could not modify tenant configuration or download customer databases. The blast radius was narrower than initial screenshots suggested — but the fact that a contractor's support laptop was effectively a skeleton key to hundreds of customer tenants was not a comforting clarification.
August 2022: The 0ktapus Campaign
The second chapter was not, strictly speaking, an Okta breach. A threat actor that Group-IB later dubbed 0ktapus ran a phishing campaign between March and August 2022 targeting employees of companies that used Okta. The phishing kit presented fake Okta login pages, harvested credentials and MFA codes, and relayed them to the real Okta in real time — a classic adversary-in-the-middle pattern.
The campaign hit at least 130 organizations and compromised 9,931 accounts. The victims included Twilio, DoorDash, Mailchimp, Signal (via Twilio), Cloudflare (which defeated the attack with hardware keys), and a list of other vendors that most enterprises depend on. 0ktapus was not Okta's fault in the narrow sense — the phishing pages were not hosted by Okta, and the credentials were phished from end users — but it made clear that "using Okta" was itself a targetable signal. Attackers were now building kits specifically against Okta's login flow.
October 2023: The Support System Breach
The third chapter began on October 19, 2023, when BeyondTrust told Okta it had detected an attacker using an Okta-issued session token against BeyondTrust's tenant. BeyondTrust had uploaded an HTTP Archive (HAR) file to Okta's customer support case system two weeks earlier as part of a troubleshooting ticket. That HAR file contained an active session cookie. The attacker had obtained it by compromising a service account in Okta's customer support case management system.
Okta initially told BeyondTrust the problem was on BeyondTrust's end. It took roughly two weeks of pushing before Okta confirmed the breach publicly on October 20, 2023. Initial scope was described as around 1% of customers. By November 29, 2023, Okta revised that number: the attacker had in fact downloaded a report containing the names and email addresses of all Okta Workforce Identity Cloud customer support users — effectively every Okta administrator.
1Password, Cloudflare, and BeyondTrust all publicly described their own detections of follow-on activity. Cloudflare's own retrospective, published November 2, 2023, noted that the Okta breach led directly to an attempt against its own infrastructure during the Thanksgiving 2023 window. The HAR-file vector was particularly uncomfortable because the files are a legitimate, vendor-requested artifact — customers had been trained to upload them.
October 2023 Follow-Up: Cross-Tenant Impersonation
In early 2024, Okta disclosed a separate issue: a cross-tenant impersonation vulnerability in its generative AI feature that had allowed an attacker to abuse caching behavior to access sessions across tenants. This was smaller in scope but reinforced the emerging pattern — Okta's newer product surfaces were being probed specifically because the company had become a high-value target.
What The Pattern Actually Teaches
Three things emerge when you look at 2022 and 2023 together rather than as separate incidents.
The first is that identity providers are supply chain dependencies in the strictest sense. When Okta is compromised, downstream customers are compromised — not metaphorically, but literally, because session tokens and MFA resets are the coin of the realm. The blast radius of an Okta incident is bounded by what Okta employees and contractors can do inside customer tenants, and in both the Sitel and the HAR-file cases, that turned out to be more than customers had modeled.
The second is that disclosure pace matters. In both 2022 and 2023, Okta's initial public statements understated the scope, and both times the final numbers came out only after pressure from affected customers. Customers who treated the first press release as ground truth made worse decisions than customers who assumed the scope would grow.
The third is that the attacker ecosystem adapts to vendor concentration. 0ktapus built a kit specifically for Okta. Lapsus$ targeted a contractor whose job was supporting Okta customers. The HAR-file attacker understood that a specific file format in a specific support system was where sessions got casually handed over. The moment a vendor becomes critical enough, attackers specialize.
How Safeguard Helps
Safeguard treats identity providers like Okta as first-class supply chain components, tracking their incident history, configuration drift, and the specific tokens or secrets that touch customer environments. When a vendor disclosure lands, Safeguard correlates the affected scopes to the actual integrations in your tenant — so you know within minutes whether a HAR file you uploaded last month or a service account you provisioned last year falls inside the blast radius. The platform also monitors session-token hygiene, flags long-lived tokens that should have been rotated, and supports policy gates that block deployments depending on a vendor under active incident response. The goal is simple: when your identity provider has a bad week, you should not be reconstructing scope from Telegram screenshots.