American cybersecurity firm CrowdStrike has confirmed that an insider
shared screenshots taken on internal systems with hackers after they
were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
However, the company noted that its systems were not breached as a
result of this incident and that customers' data was not compromised.

Update November 21, 12:04 EST: Story updated with information from hackers.
[. . .] "We identified and terminated a suspicious insider last month
following an internal investigation that determined he shared pictures
of his computer screen externally," a CrowdStrike spokesperson told
BleepingComputer today.
"Our systems were never compromised and customers remained protected
throughout. We have turned the case over to relevant law enforcement
agencies."
CrowdStrike did not specify the threat group responsible for the
incident or the motivations of the malicious insider who shared
screenshots.
- However, this statement was provided in response to questions from
BleepingComputer regarding screenshots of CrowdStrike systems that were
recently posted on Telegram by members of the threat groups
ShinyHunters, Scattered Spider, and Lapsus$.
ShinyHunters told
BleepingComputer earlier today that they allegedly agreed to pay the
insider $25,000 to provide them with access to CrowdStrike's network.
The threat actors claimed they ultimately received SSO authentication
cookies from the insider, but by then, the suspected insider had
already been detected by CrowdStrike, which had shut down his network
access.
The extortion group added that they also attempted to purchase
CrowdStrike reports on ShinyHunters and Scattered Spider, but did not
receive them.
BleepingComputer contacted CrowdStrike again to confirm if this
information is accurate and will update the story if we receive
additional information.
The Scattered Lapsus$ Hunters cybercrime collective
These
groups, now collectively calling themselves "Scattered Lapsus$ Hunters,"
have previously launched a data-leak site to extort dozens of companies
impacted by a massive wave of Salesforce breaches.
- Google,
- Cisco,
- Allianz Life,
- Farmers Insurance,
- Qantas,
- Adidas,
- Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.
Companies they attempted to extort include high-profile brands and
organizations, such as
- Google,
- Cisco,
- Toyota,
- Instacart,
- Cartier,
- Adidas,
- Sake Fifth Avenue,
- Air France & KLM,
- FedEx, Disney/Hulu,
- Home Depot, Marriott,
- Gap,
- Walgreen's,
- Transunion,
- HBO MAX,
- UPS,
- Chanel, and IKEA.
Scattered Lapsus$ Hunters also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations, resulting in damages of over £196 million ($220 million) in the last quarter.
As BleepingComputer reported this week, the ShinyHunters and
Scattered Spider extortion groups are switching to a new
ransomware-as-a-service platform named ShinySp1d3r, after previously using other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.
This Thursday, ShinyHunters also claimed a new wave of data theft attacks
that allegedly impacted Salesforce instances belonging to over 280
companies. In Telegram messages today, they said the list of breached
companies contains multiple high-profile names, including - LinkedIn,
- GitLab,
- Atlassian,
- Thomson Reuters,
- Verizon,
- F5,
- SonicWall,
- DocuSign,
and
- Malwarebytes.
As the threat actors told BleepingComputer yesterday, they
compromised the Salesforce instances after breaching Gainsight using
secrets stolen in the Salesloft drift breach.