[hexadec]

I think the flip flopping is hurting them and their users more and more. What was initially a flat denial this morning has resulted in taunts from Lapsus$ on Twitter, Okta was out-scooped by Cloudflare's public investigation. Now they admit a breach affecting 2.5% (roughly 250 orgs based on public data).

The webinar tomorrow should be fascinating if they allow questions.

[ec109685]

“A contractor’s laptop was owned for 5 days who had super user access, but we didn’t get breached” was a strange conclusion in their original state.

[ykevinator2]

I think they were gamble my that it couldn't be proven

[ceeplusplus]

They've lost all credibility at this point. You can't say "we didn't get breached, nobody got owned" and then turn around and say "actually a lot of our customers did get owned" after you get called out on it.

[TobyTheDog123]

They lost all credibility when they failed to do the one single thing companies trust them to do, on a massive and severe scale, with long-lasting financial repercussions for AT LEAST 250 of the worlds biggest companies (I believe it's more than they're letting on).

[toomuchtodo]

It is a shame that the new DHS 72 hour reporting requirement was not in effect when this breach occurred, but it is extremely evident why it is required. Regarding business classification, I don't think it's too difficult to argue that commercial identity providers are critical infra.

https://news.ycombinator.com/item?id=30699024

https://www.congress.gov/bill/117th-congress/house-bill/2471...

[zwayhowder]

That law is modelled on laws in the EU, Australia and other countries. I know if my employer is one of the affected companies they are in breach of our notification laws.

[sofixa]

GDPR already covers this. If companies with EU employees were among the 2.5% ( not unlikely), they should have disclosed this, first to the ICO and customers, then the public.

[bloomburger]

did you catch the webinar? I missed it and would love to hear details and/or notes