Okta. Three Breaches. Three Trust Paths. All Inside The Identity Surface Okta Sells Defense For. Sitel, Source Code, Support Case System.

Trellix had source code in RansomHouse hands in May 2026. Checkmarx had source code in LAPSUS$ hands in April 2026. We wrote about both yesterday in the "Security Vendor Industry Is The Soft Surface" frame. Okta belongs in the same conversation. Okta has been breached three distinct times through three distinct trust paths, and all three trust paths are inside the identity-surface vertical Okta exists to defend. The pattern is not a coincidence and not a one-time misfortune. The pattern is the identity vendor failing at identity, repeatedly, across years, through the exact attack classes the vendor's commercial value proposition promises to prevent.

This is technical critique, not mockery. Okta employs serious engineers, and the post-incident reporting from the company has been substantively more forthcoming than the comparable disclosures from some peers. What makes the Okta case operationally significant for defenders downstream is the breach count and the trust-path pattern across the breaches, not the quality of the post-incident response. The story is the recurrence and the path through which the recurrences happen.

Breach one — Sitel third-party customer support compromise, January 2022

LAPSUS$ compromised a customer-service engineer's laptop at Sitel Group, the outsourced customer support provider Okta contracted to handle support cases. The compromise occurred in mid-to-late January 2022. The Sitel engineer had access to internal Okta administrative tooling through their support role. LAPSUS$ used that access to view and potentially modify Okta customer instances during a five-day window.

Okta's initial public statement on March 22, 2022 minimized the impact. Then-CSO David Bradbury framed the incident as posing "no ongoing risk" to Okta customers. The framing did not survive twenty-four hours of independent researcher analysis. By March 23, the actual scope — approximately 366 Okta customers with instances potentially accessed during the five-day window — was on the public record. The disclosure timing and the initial-statement minimization became their own scandal in the defender community, separate from the breach itself.

The trust path: Okta outsourced customer support to a third party. The third party's engineer became the breach vector. The identity vendor's identity surface was compromised because the support-tier identity surface was outside the identity vendor's direct security perimeter. The defender failure was not technical sophistication; it was the supply-chain-trust assumption that the contracted support provider would have equivalent identity-hygiene controls. Sitel did not.

Breach two — GitHub source code theft, December 2022

In December 2022 Okta disclosed a separate incident: the company's Workforce Identity Cloud source code repositories on GitHub had been compromised. A threat actor accessed Okta's private GitHub-hosted code and exfiltrated source repositories. Okta's disclosure stated that no customer data and no Okta service was directly impacted because the code itself does not contain customer credentials or production secrets. The framing is technically accurate. The framing also misses the operational concern.

Source code from an identity vendor is the highest-value Git repository class on the market for operators looking to develop bypass and trust-path-abuse research against that vendor's product. Whatever the GitHub-repo-theft adversary did with the Okta source code in late 2022 and 2023 is not public. What is public is that the Okta-product attack surface available to research-tier adversaries expanded the moment that source code left Okta's perimeter. The same shape that we wrote about yesterday with Trellix and Checkmarx applies here: identity-vendor source code is the bypass-research asset for adversaries targeting identity-vendor product deployments.

The trust path: Okta's own GitHub-hosted private repository, an identity-protected resource, was breached. The vendor whose entire product line is identity-tier access control had its identity-tier access control fail at the development-asset layer.

Breach three — Support Case Management System, October 2023

This is the breach the broader defender community remembers most vividly because of how the downstream blast radius played out. In late August 2023 a threat actor obtained credentials for a service account inside Okta's customer support case management system. The account had access to HAR files — HTTP Archive recordings — that Okta customers had uploaded as part of routine support troubleshooting.

HAR files contain captured session tokens. When a customer uploads a HAR file to troubleshoot a session-management issue with their Okta tenant, the file may contain the very session token that authenticates the customer's privileged user against their own Okta admin console. The threat actor walked the support case management system, harvested HAR files at scale, and extracted session tokens for privileged users at the affected customers.

Okta initially notified 134 customers in October 2023. Within weeks, the scope expanded. By late November 2023, Okta acknowledged that the support system breach exposed data on all Okta customer support system users — approximately 1,825 customer organizations. The downstream notifications during October–November 2023 read like a who's-who of the identity-and-security industry. 1Password disclosed an attempted post-Okta-breach pivot against their environment. BeyondTrust disclosed a similar attempt. Cloudflare disclosed that the Okta breach enabled an attempted pivot against Cloudflare's identity infrastructure that Cloudflare detected and contained. Each of these companies was an Okta customer; each was targeted in the immediate aftermath via session tokens harvested from HAR files in Okta's support case system.

The trust path: Okta's customer support workflow accepted HAR file uploads. HAR files routinely contain session tokens. The support case management system service account that handled the uploaded files was compromised. The identity tokens of Okta's own customers' privileged admin users were extracted at scale. The identity vendor's identity-token-handling infrastructure was the breach.

The pattern across the three

Three breaches. Three distinct identity-surface components inside the identity-vendor's perimeter. Each component is a trust path Okta sells defense for at the customer-facing product layer. The third-party customer support story is the supply-chain-identity story Okta's customers buy Okta to solve. The source-code-theft story is the privileged-development-identity story. The HAR-file-and-session-token story is the session-management story that is literally Okta's core product. Each breach is the identity vendor failing at the exact identity sub-vertical the vendor's product line addresses.

The pattern is structural. The vendor's commercial pitch is that organizations should outsource identity-tier security to Okta because Okta's specialized focus produces better outcomes than the customer could build in-house. The receipts say the vendor's specialized focus has produced three breaches inside the specialty, in five years, with downstream blast radius into 1Password, BeyondTrust, Cloudflare, and an estimated 2,300+ other organizations across the three incidents combined.

This is not an argument for not using Okta. The alternative identity-vendor choices have their own incident histories. This is an argument for not assuming the identity-vendor-specialization commercial pitch translates into operationally better identity-tier security relative to a defender posture that consumes public threat intelligence, integrates credential-breach feeds at the authentication layer, and treats third-party-vendor access as the soft surface it has always been.

The downstream-blast-radius math

The third Okta breach (support case management, 2023) produced documented downstream targeting attempts against 1Password, BeyondTrust, and Cloudflare. Those three customers had the security telemetry and incident-response posture to detect and contain the post-Okta-breach pivot attempts. The other ~2,300 affected Okta customer support system users do not have public reporting confirming whether they detected and contained equivalent pivot attempts, or whether they were silently compromised through the harvested session tokens during the October–November 2023 window before Okta's full-scope disclosure landed.

The cost-curve math on this is the same math we have been writing all month under the asymmetry-take-the-fight frame. Cloudflare's security organization caught the pivot because Cloudflare's defender posture is operational, well-resourced, and continuous. The smaller Okta customers without equivalent defender resources are the population for whom the breach's actual cost is hidden. Some of them were silently compromised. The bill for the silent compromises is what defender markets call "long-tail incident cost" — the breach-class harm that does not produce a press release because the affected organization did not have the telemetry to know.

The defender posture downstream of the Okta-breach pattern is the same posture downstream of the Trellix and Checkmarx receipts. Do not assume single-vendor identity specialization protects you. Layer identity defenses. Consume public threat intelligence that flags vendor-tier breaches in real time so you can act on the seventy-two-to-ninety-six-hour window between vendor disclosure and operator-tier pivot research. Audit your HAR-file-upload workflow assumptions across every SaaS vendor that handles support cases — Okta is not the only vendor whose support workflow could leak session tokens; it is the vendor that got caught.

The asymmetry frame applied

Okta's market cap, annual revenue, security-organization staffing, threat-intelligence-consumption budget, customer-incident-response retainers, and post-breach legal-and-PR funding are all orders of magnitude beyond the operating budget of a two-person threat-intelligence shop in Minnesota. The cost-curve inversion is real. Okta has all of the resources defensible against an asymmetric-comparison argument. Okta has also been breached three times in five years through trust paths inside the identity-defense vertical Okta sells.

The defender market that consumed public threat intelligence (and credential-breach feeds, and session-token-handling-best-practices analysis) during 2022 and 2023 had visibility on each of the three Okta breach patterns before the affected customer populations received their notification letters from Okta. The cheapest defender posture beats the most expensive defender brand, again, in a different vendor's case, with the same underlying receipt.

Three breaches. Three trust paths. The identity surface is the soft surface even when the vendor specializes in identity. The receipts compound. The pattern is structural. The defender posture downstream is the layered-and-feed-consuming posture. The asymmetry inversion holds.

The receipts compound

The threat intelligence in this post — the third-party trust-path analysis, the HAR-file-and-session-token attack class, the downstream-blast-radius accounting across 1Password and BeyondTrust and Cloudflare, the vendor-breach pattern detection across the security vendor cohort — all ship out through DugganUSA's public STIX 2.1 threat-intelligence feed. Free. No credit card. Machine-consumable. Registration takes thirty seconds at [analytics.dugganusa.com/stix/register](https://analytics.dugganusa.com/stix/register).

Yesterday we documented that customers consuming our feed had visibility on the BlueHammer Microsoft Defender CVE for forty days before Microsoft's MSRC blog officially acknowledged the cluster. The asymmetry inversion is real, it is dated, and it compounds for whoever subscribes. The same predictive-kill-chain pattern applied to the Okta support case management breach in 2023 — defenders downstream of public threat intelligence had visibility on the HAR-file-and-session-token attack class before the Okta-specific exploitation pivot landed on 1Password, BeyondTrust, and Cloudflare.

The cheapest defender posture beats the most expensive defender brand. Subscribe. The receipts compound.

— Patrick Duggan · DugganUSA LLC

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com