What the teenagers taught the Fortune 500

LAPSUS$ compromised Microsoft, Okta, Nvidia, Samsung, Vodafone, and several others in a few months. They were teenagers using social engineering and MFA fatigue. The lesson, awkwardly, is that the dominant compromise vector in 2022 is social, not technical.

Last month, the City of London Police arrested seven people aged 16 to 21 in connection with the LAPSUS$ group, the loose collective that compromised Microsoft, Okta, Nvidia, Samsung, Vodafone, Ubisoft, and Mercado Libre in a few-month spree from late 2021 into the spring of 2022. The Police Service of Northern Ireland was also involved. Brazilian authorities had arrested members earlier. The published reporting suggests a teenager in Oxfordshire was a central figure.

I want to write about LAPSUS$ because the lessons from their spree are awkward for the security industry. Not because the attacks were sophisticated — they were not — but because the methods worked against firms whose security spending is in the high hundreds of millions of pounds. The methods were embarrassing for the defenders. They should also reshape how boards think about where security investment actually returns.

What they did

LAPSUS$ did not develop novel exploits. They did not write malware. They did not use commercial offensive tooling. The Microsoft Threat Intelligence Center analysis — published after Microsoft itself was breached, which is to its credit — describes a playbook with three main steps.

Buy or harvest credentials. Stolen credentials from infostealers, dark-web markets, and previous breaches. Cheap. Plentiful.

Defeat the MFA. When MFA blocked the login, the group used a combination of SIM-swap attacks (to intercept SMS codes), MFA-fatigue (push notifications repeatedly until the user accepted one to make them stop), and old-fashioned social engineering of help desks (calling pretending to be the target, getting MFA reset to a device the attacker controlled).

Once inside, exfiltrate and extort. No encryption, no ransomware. Just data theft and public threats to release it. The threats were carried out on Telegram, in public, in a way that maximised media attention.

That is the entire playbook. It is what defeated several firms whose threat models had been built around nation-state actors and advanced persistent threats. The threat that actually arrived was teenagers paying $10 for credentials and being annoying on a phone.

The MFA-fatigue lesson

The single most consequential lesson from LAPSUS$ is about push-based MFA. The pattern they exploited was: user enters credentials (which the attacker has). The MFA system sends a push notification to the user's phone. The user, asleep or busy or just confused, eventually accepts a notification to make the prompts stop. The attacker now has a session.

The defence is straightforward. Push-based MFA without number matching is structurally vulnerable to this. Number matching — where the user has to type a specific number shown on the login screen into their phone to approve — closes the gap. Microsoft, Okta, Duo, and most major identity providers now support it. Many firms have not turned it on. The marginal cost is zero. The marginal benefit is enormous.

The more durable answer is phishing-resistant MFA — FIDO2 hardware tokens or platform passkeys. These are immune to MFA fatigue because the second factor is bound cryptographically to the legitimate site. The attacker does not get to prompt for it.

If your firm is still on push-based MFA without number matching for staff accounts, this is the single highest-leverage change you can make this quarter. It catches LAPSUS$ and it catches everything downstream of LAPSUS$, which will be many things over the next year.

The help-desk lesson

The second lesson is about help desks. Several of LAPSUS$'s compromises came from social engineering of internal IT support — calling, claiming to be a stranded executive or a panicked employee, and persuading the help desk to reset MFA to a device the caller controlled.

The defence is procedural. No MFA reset without verification through a separate channel. The caller's identity must be confirmed by something other than what they tell you on the phone — a video call, an internal directory call-back, a manager confirmation. Several large firms still have help-desk processes that do not require this. They are the same firms that will be in next year's incident reports.

The Okta dimension

Okta deserves a separate paragraph because their compromise was not strictly Okta's — it was through a third-party support contractor, Sitel, which had administrative access to Okta tenants for support purposes. LAPSUS$ compromised the contractor, used that access to view a small number of customer tenants, and the rest is uncomfortable Okta history. Okta's own published statement became a case study in how not to communicate during an incident — slow, defensive, more focused on minimising the perceived impact than on telling customers what happened.

The lesson there is two-fold. Your suppliers' suppliers are your suppliers. And the worst thing you can do during an incident is communicate badly. Many firms got the first lesson from Solarwinds. The second lesson is still being learned.

What boards should ask this quarter

Three questions for the audit committee.

Have we enabled number matching on push MFA, and what proportion of our user base is now on phishing-resistant authentication? The honest answer for most firms is not yet and small. The target for the next twelve months is yes and all senior and privileged users.

What is our help-desk policy for MFA reset, and when was it last tested with a social-engineering attempt we ourselves commissioned? If the answer is we have a policy and we have not tested it, the test should be in the diary.

Who has administrative access to our identity provider, and what controls protect those accounts? The answer is usually a small number of people and a small number of accounts. Each of them is a LAPSUS$-shaped target. Treat them accordingly.

Why this matters beyond LAPSUS$

The arrests have, for now, taken LAPSUS$ off the field. The teenagers who made up the group will face their prosecutions. The playbook will not retire with them. It is the cheapest, lowest-skill, highest-yield offensive playbook in the current market, and it will be used by every group whose ambitions outstrip their technical capability. That is most groups.

The defenders who fix the MFA-fatigue gap and the help-desk gap this quarter will be ahead of the curve. The defenders who do not will spend the rest of 2022 explaining why they were not.

That is the lesson the teenagers have given us. It would be a disservice to pretend it is not awkward.