Update November 21, 12:04 EST: Story updated with information from hackers.
American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with unnamed threat actors.
However, the company noted that its systems were not breached as a result of this incident and that customers’ data was not compromised.
“We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally,” a CrowdStrike spokesperson told BleepingComputer today.
“Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.”
CrowdStrike did not specify the threat group responsible for the incident or the motivations of the malicious insider who shared screenshots.
However, this statement was provided in response to questions from BleepingComputer regarding screenshots of CrowdStrike systems that were recently posted on Telegram by members of the threat groups ShinyHunters, Scattered Spider, and Lapsus$.
ShinyHunters told BleepingComputer earlier today that they allegedly agreed to pay the insider $25,000 to provide them with access to CrowdStrike’s network.
The threat actors claimed they ultimately received SSO authentication cookies from the insider, but by then, the breach had already been detected by CrowdStrike, which shut down network access.
The extortion group added that they also attempted to purchase CrowdStrike reports on ShinyHunters and Scattered Spider, but did not receive them.
BleepingComputer contacted CrowdStrike again to confirm if this information is accurate and will update the story if we receive additional information.
The Scattered Lapsus$ Hunters cybercrime collective
These groups, now collectively calling themselves “Scattered Lapsus$ Hunters,” have previously launched a data-leak site to extort dozens of companies impacted by a massive wave of Salesforce breaches.
Scattered Lapsus$ Hunters have been targeting Salesforce customers in voice phishing attacks since the start of the year, breaching companies such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.
Companies they attempted to extort include high-profile brands and organizations, such as Google, Cisco, Toyota, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald’s, Walgreens, Transunion, HBO MAX, UPS, Chanel, and IKEA.
Scattered Lapsus$ Hunters also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations, resulting in damages of over £196 million ($220 million) in the last quarter.
As BleepingComputer reported this week, the ShinyHunters and Scattered Spider extortion groups are switching to a new ransomware-as-a-service platform named ShinySp1d3r, after previously using other ransomware gangs’ encryptors in attacks, including ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.