Explainer: Lapsus$ hacking group

Privacy news
2 mins
A laptop with an anarchy symbol.

Lapsus$ has made headlines in the past two weeks for its high-profile hacks, followed by the revelation that the group might be made up of teenagers. We break down the flurry of news coverage for you.

What is Lapsus$?

First emerging in December 2021, Lapsus$ is a hacking organization that focuses on data theft and extortion. The group mainly targets corporations. 

Who has Lapsus$ hacked?

Most recently, the group made waves when it announced a hack of Okta, a service that lets company employees log in to multiple online accounts using one set of credentials. Okta has confirmed that a hacker had access to a vendor’s laptop during five days in January. 

The Okta news was especially worrisome, as a breach could potentially compromise a large number of accounts for each of its users.

Lapsus$ has also claimed to have successfully attacked Microsoft, LG Electronics, Nvidia, Localiza, MercadoLibre and MercadoPago, Vodafone, Sitel, Brazil’s Ministry of Health, and Samsung, among others. In its hacks, the group has leaked source code, stolen employee information, launched DoS attacks, and even redirected a site to a porn page.

What methods does Lapsus$ use?

As an extortion group, Lapsus$ is different from others in that it does not use typical ransomware technologies in its efforts to gain monetary payment. 

To achieve its data breaches, Lapsus$ uses a variety of methods, mostly based on social engineering. It might, for instance, trick customer support agents into giving access. It also uses SIM swapping to take over accounts. In some cases, it attempts to compromise personal email accounts of employees at companies they are targeting, and then using that email to gain access to corporate accounts. 

Most provocatively, Lapsus$ has used its Telegram feed to publicly solicit employees to provide access to company networks for pay.

Lapsus$ has a Telegram account?

Unusual for a hacking group, Lapsus$ has managed to drum up a lot of buzz by using a Telegram account to report its activities. In the case of an attack on Microsoft, the group announced what it was doing on Telegram while the hack was in progress, allowing Microsoft to stop the attack. The group has also repeatedly said on its Telegram feed that it is only interested in money, has no political agenda, and is not state-sponsored.

Early on, experts described Lapsus$ as seemingly talented but also oddly erratic in its attacks. It would later emerge that teenagers are likely to make up some of its members—explaining much of the group’s behavior.

They’re teenagers?

Bloomberg first revealed that investigators hired by companies who were victims of Lapsus$ believed at least two of the group’s members were teenagers, one a 16-year-old in the UK, another living in Brazil. UK police have since arrested seven people, all between 16 and 21, in connection with Lapsus$.

Should this matter to you?

If you’re an employee of a big company, these breaches should be a stark reminder of how careful we have to be about phishing and social engineering. Attackers are waiting for someone to let their guard down to break into a network.

There is basically nothing that you as a customer can do when a company experiences a breach. But it’s important to keep in mind that even if a data leak exposes your password, you can keep your other accounts safe by not using the same password across accounts. Read more on using unique passwords.

Phone protected by ExpressVPN.
Protect your online privacy and security

30-day money-back guarantee

Various devices protected.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
What is a VPN?
Vanessa is an editor of the blog.