CrowdStrike says it has fired a “suspicious insider” after they were allegedly caught sending information about the company’s operations to prominent hackers.

The US cybersecurity giant confirmed the news on Friday after the hacking collective known as Scattered Lapsus$ Hunters released screenshots on messaging service Telegram which reportedly showed internal CrowdStrike dashboards and resources.

The hackers reportedly said they gained access to CrowdStrike systems through a recent breach of Gainsight, a US company which sells applications for consolidating data from popular customer service and marketing platforms like Salesforce.

CrowdStrike told US media the hackers’ claims were “false”, but confirmed it fired an insider in October after they were allegedly caught sharing company information externally.

“We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally,” CrowdStrike told Information Age in a statement.

“Our systems were never compromised and customers remained protected throughout.

“We have turned the case over to relevant law enforcement agencies.”

Scattered Lapsus$ Hunters claims more Salesforce breaches

Scattered Lapsus$ Hunters — a hacking collective made up of groups including Scattered Spider, Lapsus$, and ShinyHunters — last week claimed responsibility for hacking numerous companies’ Salesforce instances after the company disclosed a breach of some customers’ data through Gainsight.

Aside from claiming to have gained access to CrowdStrike systems, the hacking group also reportedly claimed responsibility for breaches at the likes of Atlassian, Docusign, GitLab, LinkedIn, and Malwarebytes.

Members of Scattered Lapsus$ Hunters are known for often using social engineering attacks to trick workers into providing access to company systems, as they allegedly did with Australian airline Qantas in June before releasing customer data onto the dark web in October.


Hackers claim they gained accessed to CrowdStrike systems through a recent breach of customer service apps provided by Gainsight. Image: Shutterstock

Salesforce said Gainsight’s issues appeared to be “related to the app’s external connection to Salesforce”.

“There is no indication that this issue resulted from any vulnerability in the Salesforce platform," the company said.

Gainsight said it continued to work with Salesforce “on the ongoing investigation into the incident”.

“In parallel, a forensic analysis is continuing as part of a comprehensive and independent review,” it said.

Google Threat Intelligence Group’s principal threat analyst, Austin Larsen, said his colleagues had “observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorised access to Salesforce customer instances”.

OAuth, which stands for Open Authorisation, is an internet protocol which allows users to grant an application access to their information in another application without sharing a password.

Charlotte Wylie, deputy chief security officer at access management provider Okta, wrote the OAuth compromises were “yet another example of how our interconnected SaaS [Software as a Service] and AI supply chains are becoming the biggest risk to enterprises today”.

“Exploiting the trust granted to third-party integrations is far more efficient and effective for attacker [sic] than going after vulnerabilities in core platforms or targeting employees and endpoints,” Wylie said.

Don’t sleep on insider threats

News of CrowdStrike removing a “suspicious insider” follows other recent examples of similarly nefarious behaviour by workers and former employees at other companies.

Australia's Origin Energy confirmed a data breach in October after an employee allegedly tried to email customer credit card data to their personal email address after they were terminated by the firm, Information Age exclusively reported.

A software developer who was found guilty in March of inserting a “kill switch” which caused damage when he was fired by US power management company Eaton Corp, was sentenced to four years in prison in August.

A fired IT worker was also given a prison term by a Singapore court in June 2024 after remotely deleting around 180 of his former employer’s virtual servers.

While not done intentionally, CrowdStrike itself famously caused a major outage of millions of Microsoft Windows devices in July 2024 after issuing a problematic software update.