Action we've taken in response to a potential Okta breach

The GitLab Security team is investigating and monitoring the situation surrounding a possible breach on the Okta platform to determine if there are any potential security issues that could have impacted GitLab or our users. At this time, no malicious activity, exploitation, or indicators of compromise have been identified on GitLab.com.

How GitLab uses Okta

GitLab uses Okta as a single-sign-on solution for access to various SaaS applications.

Actions we have taken

• We’ve examined our logs, including our Okta logs to verify there has been no malicious activity.
• We’ve been in contact with Okta and our industry peers to fully understand Okta’s potential breach and the potential impact to GitLab.
• We’ve developed multiple contingency plans to thwart any potential attack scenarios and help protect GitLab and our users.
• Out of an abundance of caution we are evaluating additional widespread safeguard measures to further protect our team members’ sensitive credentials.

Actions recommended for Customers (GitLab.com and Self-Managed)

• If you use Okta to access your GitLab account, we recommend that you review your Okta logs for suspicious activity and contact Okta support to determine if there are any additional actions you should take with respect to your specific Okta implementation.
• If you have not already done so, you should add multi-factor authentication (MFA) to your GitLab account. We recommend enabling MFA on all systems wherever possible. In fact, if given the choice we recommend U2F. Learn how to set up U2F with GitLab.
• Review our “Security hygiene best practices for GitLab users” blog post which details simple but effective security practices that GitLab users should consider implementing to add additional layers of protection for themselves and help reduce risk for their organizations.

Our teams are continuing to investigate this situation for possible security issues that may impact our product and customers. If we discover that either our product or customers are at risk, we will update this blog post and notify users via a GitLab security alert.

Users can sign up to receive security alerts and notifications via email on our Contact Us page. If you've got a security question or concern, review how to contact our Support team.