CrowdStrike confirmed that internal screenshots were leaked by a terminated employee to the **Scattered Lapsus$ Hunters** cybercrime collective and published on Telegram. The incident involved an insider allegedly paid **$25,000** by **ShinyHunters** for access, including SSO authentication cookies. However, CrowdStrike detected the unauthorized activity and revoked the insider’s access before any critical systems or customer data were compromised. The company stated that **no breach of its systems occurred**, and **no customer data was exposed**.The leak was part of a broader extortion campaign by **Scattered Lapsus$ Hunters**, a collective linked to high-profile breaches at companies like **Google, Cisco, and Jaguar Land Rover** (which suffered **$220M in damages**). The group has also targeted **Salesforce, FedEx, Disney, and Marriott** through voice-phishing and ransomware-as-a-service (RaaS) platforms like **ShinySp1d3r**. While the incident involved insider-driven data exposure, CrowdStrike maintained that its core security infrastructure remained intact, and law enforcement was engaged for further investigation.
Source: https://cybersafe.news/crowdstrike-insider-leak-exposed-no-breach-reported/
CrowdStrike cybersecurity rating report: https://www.rankiteo.com/company/crowdstrike
"id": "CRO4432044112225",
"linkid": "crowdstrike",
"type": "Breach",
"date": "11/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'None',
'industry': 'Technology (Cybersecurity)',
'location': 'Global (HQ: Sunnyvale, California, USA)',
'name': 'CrowdStrike',
'size': 'Large Enterprise',
'type': 'Cybersecurity Company'}],
'attack_vector': ['Insider Threat (Malicious Employee)',
'Social Engineering (Voice-Phishing)',
'Credential Theft (SSO Authentication Cookies)',
'Dark Web/Telegram Leak'],
'customer_advisories': 'No action required for customers; incident contained '
'internally.',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Screenshots (Images)',
'Cookies (Text)'],
'sensitivity_of_data': 'Moderate (Internal Operational Data, '
'No Customer PII)',
'type_of_data_compromised': ['Internal Screenshots',
'Authentication Cookies '
'(Attempted)']},
'description': 'CrowdStrike confirmed that internal screenshots shared by a '
'now-terminated employee were leaked by the Scattered Lapsus$ '
'Hunters cybercrime collective on Telegram. The company stated '
'that no breach of its systems occurred and no customer data '
'was exposed. The insider allegedly sold access to '
'ShinyHunters for $25,000, including SSO authentication '
'cookies, but CrowdStrike detected and terminated the '
'insider’s access before further damage. The incident is '
'linked to broader extortion campaigns by Scattered Lapsus$ '
'Hunters, targeting high-profile companies like Google, Cisco, '
'and Jaguar Land Rover.',
'impact': {'brand_reputation_impact': 'Moderate (Public Disclosure of Insider '
'Incident)',
'data_compromised': ['Internal Screenshots',
'SSO Authentication Cookies (Attempted)'],
'operational_impact': 'Minimal (No System Breach or Customer Data '
'Exposure)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Insider (Terminated Employee)',
'high_value_targets': ['SSO Authentication Cookies',
'Internal Reports '
'(Attempted)']},
'investigation_status': 'Ongoing (Law Enforcement Involved)',
'lessons_learned': 'Importance of insider threat monitoring, rapid credential '
'revocation, and proactive dark web intelligence to '
'mitigate leaks from disgruntled or compromised employees. '
'Highlights the growing collaboration among cybercriminal '
'groups (e.g., Scattered Lapsus$ Hunters) in extortion '
'campaigns.',
'motivation': ['Financial Gain',
'Extortion',
'Reputation Damage',
'Data Theft for Resale'],
'post_incident_analysis': {'corrective_actions': ['Termination of malicious '
'insider',
'Enhanced monitoring of '
'privileged user activities',
'Review of access controls '
'for high-value internal '
'data',
'Proactive threat hunting '
'for Scattered Lapsus$ '
'Hunters-related activity'],
'root_causes': ['Insider abuse of access '
'privileges',
'Inadequate monitoring of '
'credential exfiltration attempts',
'Lack of real-time dark web '
'monitoring for leaked internal '
'data']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Enhance insider threat detection programs with '
'behavioral analytics.',
'Implement stricter access controls and just-in-time '
'(JIT) privilege escalation.',
'Monitor dark web/Telegram channels for leaked '
'credentials or internal data.',
'Conduct regular security awareness training on social '
'engineering risks (e.g., voice-phishing).',
'Strengthen collaboration with law enforcement for threat '
'actor disruption.'],
'references': [{'source': 'CrowdStrike Official Statement'},
{'source': 'Media Reports on Scattered Lapsus$ Hunters '
'Activity'}],
'regulatory_compliance': {'legal_actions': ['Law Enforcement Investigation']},
'response': {'communication_strategy': ['Public Statement',
'Media Engagement'],
'containment_measures': ['Termination of Insider Access',
'Revocation of Compromised Credentials'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'stakeholder_advisories': 'CrowdStrike reassured customers that no systems or '
'customer data were compromised.',
'threat_actor': ['Scattered Lapsus$ Hunters',
'ShinyHunters',
'Scattered Spider'],
'title': 'CrowdStrike Insider Threat Incident Involving Scattered Lapsus$ '
'Hunters',
'type': ['Insider Threat', 'Data Leak', 'Extortion'],
'vulnerability_exploited': 'Human Factor (Insider Access Abuse)'}