ConceptUS

Okta

US identity and access management platform whose 2022 Lapsus$ breach reinforced the identity-as-attack-surface doctrine, cited in post-Stryker analysis.

Last refreshed: 17 April 2026

Key Question

How does Okta's 2022 breach connect to the 2026 Stryker device wipe?

Timeline for Okta

#117 Apr

Mentioned in: Handala wipes 200,000 devices at Stryker

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

Was Okta hacked in 2022?: Yes. In 2022 the Lapsus$ group obtained access to Okta's internal systems via a third-party support provider. The incident affected a limited number of Okta customers and demonstrated that identity providers themselves are a high-value attack surface.Source: Okta / CISA
Why is Okta mentioned in the Stryker cyber attack analysis?: Okta's 2022 Lapsus$ breach and the 2020 SolarWinds SUNBURST compromise together established identity as the primary enterprise attack surface. The Stryker MDM wipe in 2026 is cited as the first operational proof at 200,000-device scale that the identity-plane doctrine did not translate into adequate MDM controls.Source: Lowdown analysis

Background

Okta is referenced in the Stryker incident analysis as the 2022 Lapsus$ access case that, alongside SolarWinds SUNBURST in 2020, established "identity is the new perimeter" as industry doctrine. The Stryker MDM wipe is assessed as the first post-doctrine mass-scale demonstration that enterprise identity-plane access, not endpoint malware, is sufficient for catastrophic impact.

Okta is a Major US Cloud identity and access management vendor providing single sign-on, multi-factor authentication and lifecycle management for enterprise users. In 2022, the Lapsus$ group obtained access to Okta's internal systems via a third-party support provider, affecting a limited number of Okta customers. The breach demonstrated that the identity provider itself was an attack surface, not just the applications it protected.

For the cybersecurity market, the SolarWinds-Okta sequence established a clear thesis that the Stryker incident tested operationally: if identity is the attack surface, then controls on the identity plane, specifically Conditional Access, session binding and just-in-time privilege, must match the risk level of the assets the identity platform protects. The CrowdStrike-SGNL acquisition is the market's architectural answer to that thesis.

How the World Sees Them

Okta

Stryker's MDM credential abuse is not an Okta-specific incident, but it sits in the same identity-as-attack-surface narrative that Okta's 2022 breach defined.

Enterprise CISOs

The SolarWinds-Okta-Stryker sequence is the three-act identity-attack arc; Okta's 2022 incident proved the IdP itself is a target, and Stryker proved the IdP's connected control planes are the blast radius.

Identity market analysts

Okta's Lapsus$ breach accelerated enterprise reviews of third-party access to identity infrastructure; the Stryker incident has similarly accelerated MDM admin access reviews.