Lapsus$
A teenager in Oxford and a small Telegram group walked through Nvidia, Samsung, Microsoft, Okta, and Uber on charm and SIM swaps.
Lapsus$ did not look like a sophisticated threat group. They posted memes on Telegram. They polled their followers on who to leak next. Their oldest known member was seventeen.
A different playbook
What made them effective was a deliberate refusal to use the conventional playbook. They did not bother with novel malware or zero-days. They bought stolen session cookies from initial-access brokers, paid insiders for credentials, and — most consequentially — leaned hard on multi-factor fatigue.
The technique was simple. Once they had a valid username and password from a phishing kit or breach dump, they would trigger push notifications to the user's phone over and over again, hour after hour, until someone tapped Approve to make the buzzing stop. Microsoft, Nvidia, Samsung, T-Mobile, and Okta all fell at least partly through some variant of this approach.
The Okta moment
The Okta breach in early 2022 was the alarming one. Okta sat as the identity provider for thousands of enterprises, and Lapsus$ had compromised the laptop of a third-party support engineer. The blast radius, in principle, was every customer Okta served.
What the chronicle remembers
Lapsus$ punctured the comfortable narrative that serious cyber operations require serious tradecraft. A group of teenagers, mostly working from bedrooms, walked into some of the most security-conscious companies on Earth by exploiting two phenomena older than the internet: bored people and tired thumbs.