CrowdStrike said it has dismissed an insider who shared screenshots of internal dashboards with the Scattered Lapsus$ Hunters cybercrime collective calling itself.
The images, later posted on the group’s Telegram channel, showed links to internal resources, including an Okta Single Sign-On (SSO) portal. According to CrowdStrike’s statements, the incident did not involve a breach of company systems.
The threat actors reportedly attempted to frame the screenshots as evidence of unauthorized access achieved through Gainsight, a third-party customer-success platform involved in a broader wave of Salesforce-related intrusions. Salesforce confirmed it had disconnected Gainsight-published applications after attackers claimed to have compromised multiple customers through those integrations.
CrowdStrike denied the hackers’ claims, saying its internal investigation identified a single individual who “shared pictures of his computer screen externally.” The company said it revoked the insider’s access, terminated their engagement, and referred the case to law enforcement. CrowdStrike did not specify whether the individual was an employee, contractor, or partner.
Members of Scattered Lapsus$ Hunters told BleepingComputer they paid the insider USD 25,000 for screenshots, single sign-on cookies, and access to internal systems. The group said the insider was detected before they could use the authentication data.
A Series of High-Profile Hacks
The collective has been linked to a series of high-profile data-theft operations against Salesforce customers. It previously claimed responsibility for breaches affecting brands such as Google, Cisco, Allianz Life, Qantas, Adidas, and multiple luxury retail groups.
The attackers also alleged involvement in the Jaguar Land Rover incident that contributed to more than GBP 196 million in operational losses.
These campaigns relied heavily on social engineering, particularly voice phishing, to persuade employees to surrender credentials.
ShinyHunters recently expanded its activities by launching a new ransomware-as-a-service platform, raising concerns that financially motivated social-engineering groups are deepening their operational capabilities.
