CrowdStrike fires employee being caught sharing screenshots with Scattered Lapsus$ Hunters gang
Learn More
American cybersecurity giant CrowdStrike has confirmed the termination of an employee who was caught sharing internal system screenshots with the Scattered Lapsus$ Hunters hacking collective.
The incident was reported on November 21, 2024, when internal screenshots surfaced on the threat group's public Telegram channel, initially sparking concerns about a potential breach of the company's systems. The screenshots, which were reviewed by security researchers, showed internal dashboards and an Okta Single Sign-On panel that employees use to access corporate applications.
The threat actors initially claimed the images were proof of a successful compromise through a third-party breach at Gainsight, a customer success platform used by Salesforce clients. The investigation revealed that this was a case of insider recruitment and human vulnerability.
ShinyHunters allegedly offered the CrowdStrike employee $25,000 in cryptocurrency to get them access to the company's network. The insider, who had legitimate access to CrowdStrike's internal systems, agreed to share sensitive information with the hacking group. CrowdStrike's security operations center detected the suspicious activity before any malicious access could be established, leading to the employee's identification and termination. A company spokesperson emphasized that the incident involved an employee taking photographs of their computer screen and sharing them externally.
The exposed data included:
- Internal system screenshots showing company dashboards
- Okta Single Sign-On (SSO) panel interfaces used by employees for accessing internal applications
- SSO authentication cookies (allegedly received by the threat actors, though access was already shut down)
- Links to internal company resources and administrative panels
CrowdStrike claims that no customer data was compromised and all systems remained secure throughout the incident. After the incident, the threat group escalated their campaign by publicly announcing a $50,000 bounty for additional CrowdStrike employees willing to provide access, screenshots, authentication material, or sensitive internal documentation.
The case has since been turned over to relevant law enforcement agencies for further action.
