In 2022, a teenager posted screenshots from inside the company that controls the login page for 18,000 organisations — not by breaking through a firewall, but through a contractor's compromised laptop. Twenty months later, it happened again. This time through a diagnostic file uploaded to a support ticket.

This is the full story of both Okta breaches — how a contractor's laptop, a credential saved to a personal Google account via Chrome's password sync, and a file format most people have never heard of gave attackers a window into Cloudflare, 1Password, BeyondTrust, and thousands of others. And how one company was told something was wrong — and stayed silent for 18 days.

Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

____________________________

CHAPTERS

00:00 Cold Open — Screenshots on Telegram
03:52 The Invisible Gatekeeper
06:07 Lapsus$ — Not a Nation State
07:52 What Actually Happened in 2022
08:03 How Authentication Actually Works
11:43 The Contractor's Laptop
19:53 Twenty Months Later
23:13 The 2023 Breach
24:17 The HAR File — A Flight Data Recorder
25:03 Session Cookies and Stolen Wristbands
27:55 The November 29th Disclosure
30:03 Cloudflare, 1Password, BeyondTrust
34:15 The Supply Chain Problem
36:38 Zero Trust and Assume Breach
40:31 Eighteen Days of Silence
41:43 The Three Missing Controls
43:23 The Credential That Left the Building
47:06 What Changed After
48:20 The Chain of Trust
53:09 Outro
53:35 Next: SolarWinds

____________________________

SOURCES & FURTHER READING

- Okta Security Advisory — October 2023
- Okta Expanded Disclosure — November 29, 2023
- Okta Security Advisory — March 2022
- Cloudflare blog: "How Cloudflare mitigated yet another Okta compromise"
- 1Password Security Incident Report (2023)
- BeyondTrust Incident Disclosure (2023)
- CISA Identity Security Guidance
- Lapsus$ public reporting / Arion Kurtaj UK conviction (2023)

In September 2023, one of the largest casino and hospitality companies on Earth was brought to a standstill — not by malware, not by a state-sponsored strike, but by a single phone call to an IT help desk.

This is the full story of how Scattered Spider exploited the gap between trust and verification — from a LinkedIn search to a rogue Identity Provider inside MGM's Azure AD tenant — and how a $100M containment decision brought the casino floor dark.

Zero Day Logs is an investigative audio documentary built entirely from the public record: SEC filings, court documents, government advisories, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

CHAPTERS

00:00 Cold Open — Las Vegas Goes Dark

00:19 The Casino Floor Stops

01:38 The Help Desk: Where It All Started

03:42 OSINT — They Opened LinkedIn

04:43 Vishing: The Phone Call

05:47 Inside Okta — The MFA Reset

06:12 How Multi-Factor Authentication Works

09:49 Lateral Movement — Mapping the Network

11:53 Federated Identity Explained

16:10 SAML Assertion Forgery

18:25 The ESXi Architecture

20:08 MGM Pulls the Plug

20:48 What One MFA Reset Actually Cost

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SOURCES & FURTHER READING

• Okta Security Advisory (2023)
• CISA Advisory AA23-320A
• MGM SEC 8-K filing, September 2023
• Microsoft DART case study