2022-01
Okta
Workforce + CIC (Auth0)
Duration
Multi-day disclosure cycle
Scope
Approximately 366 customers affected
Root cause: LAPSUS$ access via a 3rd-party support contractor
Okta disclosed in March 2022 that LAPSUS$ had accessed support tooling via a contractor. Approximately 366 customers (~2.5% of base) were affected. Long disclosure cycle drew significant criticism. Set the precedent for support-vendor scrutiny across the IAM industry.
Source: Okta security incident page
2023-10
Okta
Customer Identity (CIC)
Duration
Disclosed Oct 2023; impact through Nov
Scope
Customer support system files accessed
Root cause: Stolen credential used to access support tooling
Second high-profile Okta incident. Files uploaded by some customers to support tickets were accessed via stolen credentials in Okta's customer support system. Major US enterprises (1Password, Cloudflare, BeyondTrust) publicly confirmed they were affected. Drove industry-wide tightening of support-tooling access.
Source: Okta security advisory
2024-01
Microsoft
Entra ID + Microsoft 365
Duration
Multi-day attack disclosure
Scope
Senior leadership email accounts
Root cause: Password spray on legacy non-production tenant
"Midnight Blizzard" (Russian-state-affiliated actor APT29) accessed senior Microsoft leadership email via a legacy non-production tenant that lacked MFA. The attack used password spray. Microsoft disclosed extensive details + remediation. CISA Emergency Directive ED-24-02 required US federal agencies to assess impact.
2024-Q3
Microsoft
Entra ID
Duration
~10 hours (regional)
Scope
Authentication failures in specific regions
Root cause: Config push regression
A configuration push caused authentication failures for Entra ID customers in specific regions. Notable because the workforce IdP being unavailable cascades — apps that federate to Entra fail too. Drove conversations about workforce IdP DR planning.
Source: Microsoft 365 status history
2017-02
AWS
S3 (us-east-1) + cascading IAM impact
Duration
~4 hours
Scope
us-east-1 region
Root cause: Typo during routine S3 subsystem maintenance
The "AWS typo" outage. Knocked out a huge swath of the internet because of how many SaaS / IAM platforms depend on AWS us-east-1. Even when IAM vendors are operational, AWS regional outages cascade. Still cited as a baseline scenario for IAM continuity planning.
Source: AWS post-event summary
2024-07
CrowdStrike (endpoint, not IAM but cascades)
Falcon sensor
Duration
~24 hours global recovery
Scope
~8.5M Windows endpoints
Root cause: Defective sensor update
Not strictly IAM but listed because it triggered enterprise authentication failures at scale — endpoints couldn't boot, Conditional Access posture checks failed, recovery required physical access to machines. Reset enterprise expectations about endpoint-coupled IAM.
Source: CrowdStrike post-incident review
Ongoing
Various
CISA Emergency Directives (identity-adjacent)
Duration
Multiple in 2024-2025
Scope
US Federal agencies
Root cause: Variable — Ivanti, Microsoft, Sisense, etc.
CISA Emergency Directives ED-24-01 (Ivanti Connect Secure), ED-24-02 (Microsoft Midnight Blizzard), ED-23-02, and others invoke identity-adjacent compromises requiring rapid federal response. Not technically vendor outages but represent the same blast-radius pattern.
Source: CISA Emergency Directives