CrowdStrike Catches Insider Leaking Data to Hackers

CrowdStrike confirmed last month that its security team identified and terminated an employee who transmitted screenshots of the company's internal systems to hackers. The screenshots appeared in the Telegram channel operated by Scattered Lapsus$ Hunters, a collective comprised of members from Scattered Spider, LAPSUS$, and ShinyHunters. The leaked images displayed admin panels with links to company resources, including an Okta admin panel that employees use to access internal applications.

The Hackers' Claims

The threat actors claimed their access to CrowdStrike stemmed from a recent data breach at Gainsight, a company that provides customer relationship management solutions. Gainsight helps Salesforce clients track and manage customer data. Last week, Salesforce issued a warning that the breach affected published Gainsight applications connected to its platform.

Neither company disclosed detailed information about these attacks, but the incident appears similar to the August 2025 hack of Salesloft. During that breach, Scattered Lapsus$ Hunters stole confidential information from Salesforce clients—including passwords, AWS access keys, and Snowflake tokens—using stolen OAuth tokens from the Drift AI chatbot integration.

CrowdStrike's Response

CrowdStrike representatives dispute the hackers' version of events. They state that the published screenshots are unrelated to any Gainsight compromise. An internal investigation revealed that an insider within the company had been sharing photos of their computer screen with third parties. The company emphasized that its systems were not compromised and customer data remains secure. All information about the incident has been turned over to law enforcement.

The $25,000 Deal

Bleeping Computer reports that a member of ShinyHunters, part of Scattered Lapsus$ Hunters, told the publication that the group arranged to pay the insider $25,000 for access to CrowdStrike's network. According to the hacker, the insider managed to provide SSO authentication cookies. However, by that time, CrowdStrike had already detected the leak and revoked the employee's access.

The criminals also claimed they attempted to purchase CrowdStrike threat intelligence reports containing information on ShinyHunters and Scattered Spider but never received them.

Shift to New Ransomware Platform

Earlier this month, Bleeping Computer reported that the ShinyHunters and Scattered Spider groups are transitioning to a new RaaS (Ransomware-as-a-Service) platform called ShinySp1d3r. This move represents a departure from their previous reliance on third-party encryptors such as ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.