US-based cybersecurity firm CrowdStrike has confirmed that an insider was responsible for sharing screenshots of internal systems with hackers. The images that were later leaked on Telegram by the group now calling itself Scattered Lapsus$ Hunters.
Despite the leak, CrowdStrike said that its infrastructure remained secure and that no customer data was compromised.
“We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally,” a spokesperson told BleepingComputer. “Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.”
The screenshots appeared on Telegram channels linked to threat groups ShinyHunters, Scattered Spider, and Lapsus$. ShinyHunters claimed they had agreed to pay the insider $25,000 for access to CrowdStrike’s network and said they received SSO authentication cookies before the insider’s activity was detected and blocked.
The group also said it attempted to buy internal CrowdStrike reports about ShinyHunters and Scattered Spider but never obtained them.
CrowdStrike has not confirmed the threat actors’ claims beyond acknowledging the insider incident.
Scattered Lapsus$ Hunters, an alliance of ShinyHunters, Scattered Spider, and Lapsus$ cybercrime groups, has recently launched a data-leak site used to extort companies affected by widespread Salesforce-related breaches. Since early this year, the actors have targeted Salesforce customers through voice-phishing campaigns, breaching organizations such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, and luxury brands under LVMH, including Dior, Louis Vuitton, and Tiffany & Co.