American cybersecurity company CrowdStrike has confirmed that screenshots taken from its internal systems were shared with hacker groups by a now-terminated employee.
The disclosure follows the appearance of the screenshots on Telegram, posted by the cybercrime collective known as Scattered Lapsus$ Hunters.
In a statement to BleepingComputer, a CrowdStrike spokesperson said the company’s security was not compromised as a result of the insider activity and that customers remained fully protected. According to the spokesperson, the employee in question was identified during an internal investigation last month.
The individual was later terminated and the matter has been reported to law enforcement.
CrowdStrike did not clarify which threat group was behind the leak or what drove the employee to share sensitive images.
However, the company offered the statement after BleepingComputer reached out regarding screenshots of CrowdStrike systems circulating on Telegram. Those screenshots were posted by members of ShinyHunters, Scattered Spider, and the Lapsus$ group, who now operate collectively under the name Scattered Lapsus$ Hunters.
ShinyHunters told BleepingComputer that they allegedly paid the insider 25,000 dollars for access to CrowdStrike’s network.
The threat actors claimed they received SSO authentication cookies, but CrowdStrike had already detected the suspicious activity and revoked the employee’s access.
The group also claimed it attempted to buy internal CrowdStrike reports on ShinyHunters and Scattered Spider but never received them.
Scattered Lapsus$ Hunters have been responsible for a large-scale extortion campaign against companies using Salesforce. Since the beginning of the year, the group has launched voice phishing attacks to breach Salesforce customers. Their list of known or claimed victims includes Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, and luxury brands under LVMH such as Dior, Louis Vuitton, and Tiffany & Co.
They have also attempted to extort numerous high-profile organizations including FedEx, Disney, McDonald’s, Marriott, Home Depot, UPS, Chanel, and IKEA.
The group has previously claimed responsibility for a major breach at Jaguar Land Rover that exposed sensitive data and disrupted operations, resulting in losses estimated at more than 196 million pounds.
Most recently, ShinyHunters asserted that over 280 companies were affected in a new wave of Salesforce-related data theft. Among the names mentioned were LinkedIn, GitLab, Atlassian, Verizon, and DocuSign.
Though, DocuSign has denied being breached, stating that internal investigations have shown no evidence of compromise.
