Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The text is a bit ambiguous (and probably on purpose, I'm sure it passed through multiple layers where multiple lawyers have reviewed it too). Okta says Lapsus$ were unable to "obtain" the passwords, but they didn't say they were unable to set their own passwords (for example). Neither is the MFA tokens mentioned, although they do mention MFA in the text.


Then they'd have obtained it, no?

It seems pertinent a support engineer could trigger a password reset if they were worried a password had been compromised for a user.


> Then they'd have obtained it, no?

If you change a password, then you didn't "obtain" the previous password. Weasel words but there you go.


I think "obtain" here is specifically meant to mean "get existing passwords in plaintext", not "get a valid password via resetting it to a known one".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: