Third-Party Risk

Vendor Breach Lessons – MOVEit & Okta Fixes | RiskImmune

The MOVEit and Okta breaches underscore critical failures in third-party risk management, revealing vulnerabilities that extend beyond immediate incidents…

By RiskImmune Team · 23 December 2025

Vendor Breach Lessons – MOVEit & Okta Fixes | RiskImmune

The MOVEit and Okta Breaches: A Deep Dive into Third-Party Risk Management Failures In May 2023, the cybersecurity firm Progress Software disclosed a significant vulnerability in its MOVEit Transfer tool, which allowed threat actors to exploit a zero-day flaw and access sensitive data from its clients. Shortly thereafter, Okta, a leading identity and access management provider, reported a separate incident where attackers accessed its source code and internal tools due to a compromised third-party vendor. These breaches not only compromised client data but also highlighted systemic vulnerabilities in third-party risk management practices that continue to plague organizations across sectors. What Went Wrong The MOVEit breach was primarily attributed to a SQL injection vulnerability that allowed attackers to gain unauthorized access to the data stored within the MOVEit Transfer service. This flaw, which had existed for an unspecified duration, was not addressed in a timely manner, reflecting a critical lapse in both the software development lifecycle and the vulnerability management processes. Progress Software’s failure to perform rigorous security assessments and patch management ultimately left its clients exposed to significant risk. In the case of Okta, the breach stemmed from a compromised third-party vendor, which had access to Okta’s internal systems. Attackers exploited this access to infiltrate Okta’s source code repository, potentially enabling further attacks on its customer base. The incident exposed weaknesses in Okta’s vendor management framework, particularly its oversight of third-party security protocols and the lack of stringent access controls for sensitive data. Why This Matters The MOVEit and Okta breaches exemplify a systemic failure in third-party risk management frameworks that many organizations still employ. As businesses increasingly rely on external vendors for critical services, the security posture of these third parties directly impact…